Re: Strange portscan traffic with dest of 169.254.x.x

[Aaron Giuoco <agiuoco () yahoo com>]

True.  But it is unusual to see so much traffic from 169.254 leaving a computer that already has a network connection.

I haven't been able to confirm whether the packets are related to ActiveSync like Paul mentioned.  Thanks for the 
replies.  I'll try to confirm whether or not ActiveSync is being used on these PCs or not and post back.

AG

----- Original Message ----
From: CunningPike <cunningpike () gmail com>
To: snort-users () lists sourceforge net
Sent: Monday, February 25, 2008 3:33:02 PM
Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x

Directly from RFC3330:

"169.254.0.0/16 - This is the "link local" block.  It is allocated for
    communication between hosts on a single link.  Hosts obtain these
    addresses by auto-configuration, such as when a DHCP server may not
    be found."

Why would a netblock that's not part of your internal network NOT get 
routed to your external firewall/router? Whether your router actually 
passes that traffic is another matter.

CP

Aaron Giuoco wrote:
> For the past couple of days, I have been seeing some very strange portscan traffic coming from internal addresses and 
> going to the internet.  The Snort box I have been getting these alerts on is sitting just behind our Internet 
> firewall.  I have attached a screenshot of the alert.
>
> It's odd for a couple reasons.  First, why is 169.254 traffic even getting routed to our external firewall.  This is 
> probably something I need to discuss with our network admin.  That just seems weird to me.  Second, if I am reading 
> the alert correctly, it looks like the computer is scanning itself for NetBIOS and SMB ports.  I was just wondering 
> if anyone else has seen anything like this.
>
> AG
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users