Re: Why is my router doing this?

[Bill Royds <Bill_Royds () PCH GC CA>]

Where is you DNS server for your inside addresses?
This looks like some of your internal machines have tried to get DHCP assigned
addresses for themselves (most likely recent Windows machines 98SE/ME/2000).
Since the didn't get a DHCP response, they assigned themselves one in the
169.254.x.x class B range (as per RFC). They then requested DNS  (or WINS)
entries. Your DNS server is sending the reply back to the source IP address
(which is in the 169.254 range) and your router is sending that to the Internet
router which is giving you those log entries. The 192.168.x.x entry could be the
same but it would be a manually assigned IP by the user/some special software.




"Howard, Aaron" <ahoward () NOERRORS COM> on 09/26/2000 05:26:39 PM

Please respond to ahoward () NOERRORS COM



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: Why is my router doing this?






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am concerned because I've noticed lately some traffic being blocked
by an OUTBOUND filter on my border router.

(FTR, my router's real IP address has been changed.  Source port and
destination address/ports remain untouched.)

Serial0/1 is my second serial interface (inside).  Serial0/0 is my
external serial interface on which this outbound filter is running.

Something is trying to send packets out Serial0/0 with its source
address but originating from Serial0/1 (input interface) -- ie,
inside my network.  Really scares me.

Wierd thing is, all the destination IPs are non-routed (reserved)
IP addresses.  I don't get it at all.

denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(137) (Serial0/1 *HDLC*) -> 169.254.138.18(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.69.162(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.126.168(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 192.168.1.1(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)
denied udp 12.34.56.78(53) (Serial0/1 *HDLC*) -> 169.254.84.155(137)

Has anyone seen anything like this before?  What could be going on
to make my router want to send out packets like this?

Any help is appreciated...

- --
Aaron P. Howard
CCNA, CNE, MCSE, RHCE
ahoward () noerrors com
0A1B EDB8 911E B1F3 FFF4 67CD 367B 6A03 470E 00FC

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOdEQxDZ7agNHDgD8EQKJSQCeMsNbKoR/8KhR7oHb8Su2L4/B1p4AoMM/
kDFSU98T/V3tQQExw1pu2EDq
=W134
-----END PGP SIGNATURE-----