Re: netbios scanning coming from IANA's internal class B...?

["Homer Simpson" <sansstuff () hotmail com>]

Hi.

That network is, ideed, reserved address space.  You will find that 
Microsoft machines that are booting up and looking for their DHCP server 
(but unable to find it) will be given an IP address on this network.  This 
behaviour is exhibited in Win98, but not in Win95 or NT (and I doubt it 
happens in Win2K).

I would suggest that your IDS machine is picking up stray or errant DHCP 
broadcast requests from some of your internal Win-Do'hs machines.




> From: "Jon Zobrist" <kgb () ussr com>
> To: <INCIDENTS () SECURITYFOCUS COM>
> Subject: netbios scanning coming from IANA's internal class B...?
> Date: Fri, 22 Jun 2001 14:58:51 -0600
>
> I constantly recieve netbios scans from what appears to be IANA's internal
> class B...
> The scans aren't far apart and are from completely different addresses.
> Scanning them even while they're scanning me reveals no ICMP response, and
> no ports open (1-65535 scanned) which makes me think they're behind a
> firewall.
> Traceroutes die at my gateway....
> The IPs are all in 169.254.x.x
> Anyone have any insight into the weirdness of their network.. it's almost
> like it's a private non routable, but 2 things contradict that. First is,
> that it isn't (I think), second is that I've been scanned so many times.
> In fact, just now I was probed.
>
>
> -Jon

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com