From owner-freebsd-security Thu Aug 2 16: 4:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 1581137B401 for ; Thu, 2 Aug 2001 16:04:50 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 482F93158; Fri, 3 Aug 2001 01:04:46 +0200 (CEST) From: "Jeroen Massar" To: "'Krzysztof Zaraska'" , "'Vlad'" Cc: Subject: RE: weird packets.. anyone? Date: Fri, 3 Aug 2001 01:04:05 +0200 Organization: Unfix Message-ID: <003c01c11ba7$6de9ece0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Krzysztof Zaraska wrote: > On Thu, 2 Aug 2001, Vlad wrote: > > > I've got this today in my logs: > > first series of > 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 > (looks like BOOTP) > > then > 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205 > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > alternating, then a long series of > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > (please note same subnet numbers as in the letter above!) > > once immediately after BOOTP-like packets I got: > 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0 > (multicast ?!) > > First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 - > 13:29, second series at 13:31, third at 13:35. > > That looks like a DDOS attempt but I don't like two things: > 1 - too few packets to 169.254.255.255 > 2 - I don't know what could have triggered it since no > traffic is allowed > inside the network (statefull firewalling). > > 169.254.0.0 is assigned to IANA according to ARIN WHOIS. And is also used by Windows 9x and 2k when they can't get an IP from a dhcps erver (that's your BOOTP alike thingy). And the try to broadcast together with port 138/137 indicate samba.... There you go, at least... With a 99% probability factor Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message