|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jeroen Massar (jeroen
unfix.org)Date: Thu Aug 02 2001 - 18:04:05 CDT
Krzysztof Zaraska wrote:
> On Thu, 2 Aug 2001, Vlad wrote:
>
> > I've got this today in my logs:
<SNIP>
>
> first series of
> 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328
> (looks like BOOTP)
>
> then
> 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205
> 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78
> alternating, then a long series of
> 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78
> (please note same subnet numbers as in the letter above!)
>
> once immediately after BOOTP-like packets I got:
> 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0
> (multicast ?!)
>
> First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 -
> 13:29, second series at 13:31, third at 13:35.
>
> That looks like a DDOS attempt but I don't like two things:
> 1 - too few packets to 169.254.255.255
> 2 - I don't know what could have triggered it since no
> traffic is allowed
> inside the network (statefull firewalling).
>
> 169.254.0.0 is assigned to IANA according to ARIN WHOIS.
And is also used by Windows 9x and 2k when they can't get an IP from a
dhcps erver (that's your BOOTP alike thingy).
And the try to broadcast together with port 138/137 indicate samba....
There you go, at least... With a 99% probability factor <grin>
Greets,
Jeroen
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]