Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Aug 2001 23:48:39 +0200 (CEST)
From:      Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To:        Vlad <tmd@tmd.df.ru>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: weird packets.. anyone?
Message-ID:  <Pine.BSF.4.21.0108022309030.444-100000@lhotse.zaraska.dhs.org>
In-Reply-To: <20010802164110.A64693@tmd.df.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 2 Aug 2001, Vlad wrote:

> I've got this today in my logs:
> 
> Aug  2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328  IN 
> Aug  2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len 
> 20 96 
> 
> and connection to 138.
> 
> each of connection was followed by the following entries in the log:
> 
> Aug  2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53
<snip>
I had almost the same signature today. Weird packets attempted to leave
the internal network having spoofed IP source address but were dropped by
the firewall, so no DNS-related traffic was triggered. Anyhow my logs
show:

first series of
0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 
(looks like BOOTP) 

then
169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205
169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78
alternating, then a long series of
169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78
(please note same subnet numbers as in the letter above!)

once immediately after BOOTP-like packets I got:
169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0
(multicast ?!)

First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 -
13:29, second series at 13:31, third at 13:35. 

That looks like a DDOS attempt but I don't like two things:
1 - too few packets to 169.254.255.255
2 - I don't know what could have triggered it since no traffic is allowed
inside the network (statefull firewalling). 

169.254.0.0 is assigned to IANA according to ARIN WHOIS. 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108022309030.444-100000>