Re: Why is my router doing this?

[Crist Clark <crist.clark () GLOBALSTAR COM>]

"Howard, Aaron" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am concerned because I've noticed lately some traffic being blocked
> by an OUTBOUND filter on my border router.
>
> (FTR, my router's real IP address has been changed.  Source port and
> destination address/ports remain untouched.)
>
> Serial0/1 is my second serial interface (inside).  Serial0/0 is my
> external serial interface on which this outbound filter is running.
>
> Something is trying to send packets out Serial0/0 with its source
> address but originating from Serial0/1 (input interface) -- ie,
> inside my network.  Really scares me.
>
> Wierd thing is, all the destination IPs are non-routed (reserved)
> IP addresses.  I don't get it at all.
>
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
> denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
> denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.69.162(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.126.168(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 192.168.1.1(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
> denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)

I have come to generally associate anomolus traffic from the LINKLOCAL
block (169.254.0.0/16) with a wonderful new feature of, IIRC, Win2k.
If Win2k has an unconfigured logical interface, it picks a number on
that block and starts to make noise. Err... it's something like that
anyway. But it's really annoying and was a real pain to track down the
first time I saw it (someone put Win2k on a notebook and I always had
the source just about tracked down when the machine would leave the net
and seemingly disappear).

> Has anyone seen anything like this before?  What could be going on
> to make my router want to send out packets like this?

That said, I don't see how it would be generating packets like the
ones you seem to be seeing. Is your router doing NAT? Is it reporting
itself as the source because packets are being dropped after
translation?
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com