Date: Fri, 3 Aug 2001 01:04:05 +0200 From: "Jeroen Massar" <jeroen@unfix.org> To: "'Krzysztof Zaraska'" <kzaraska@student.uci.agh.edu.pl>, "'Vlad'" <tmd@tmd.df.ru> Cc: <freebsd-security@FreeBSD.ORG> Subject: RE: weird packets.. anyone? Message-ID: <003c01c11ba7$6de9ece0$420d640a@HELL> In-Reply-To: <Pine.BSF.4.21.0108022309030.444-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Krzysztof Zaraska wrote: > On Thu, 2 Aug 2001, Vlad wrote: > > > I've got this today in my logs: <SNIP> > > first series of > 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 > (looks like BOOTP) > > then > 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205 > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > alternating, then a long series of > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > (please note same subnet numbers as in the letter above!) > > once immediately after BOOTP-like packets I got: > 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0 > (multicast ?!) > > First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 - > 13:29, second series at 13:31, third at 13:35. > > That looks like a DDOS attempt but I don't like two things: > 1 - too few packets to 169.254.255.255 > 2 - I don't know what could have triggered it since no > traffic is allowed > inside the network (statefull firewalling). > > 169.254.0.0 is assigned to IANA according to ARIN WHOIS. And is also used by Windows 9x and 2k when they can't get an IP from a dhcps erver (that's your BOOTP alike thingy). And the try to broadcast together with port 138/137 indicate samba.... There you go, at least... With a 99% probability factor <grin> Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003c01c11ba7$6de9ece0$420d640a>