[Dshield] incoming traffic from 192.168.0.1 ????
Billy.Becker at isd-corp.com
Fri Jul 27 02:56:52 GMT 2001
These packets are most likely accidental connections from clueless windows
users somewhere else on your ISP. I say this because they are all looking
for port 137, and becuase of the 169.254.XXX.XXX addresses. I'm not sure
what kind of firewalling you can do on your little router, but see if you
can set it up to block all of the nonroutable addresses.
the funny about about spoofing the source address is that you will never see
the data come back to you, cause the source is spoofed, and cause the source
is technically "nonroutable". so if someone was scanning you, then it would
have to be from somewhere in your ISP, and your ISP would have to route
192.168.XXX.XXX internally, and they could hunt down the offender and make
the 169.254.XXX.XXX is the ip address windows gives a DHCP client that
hasn't gotten an ip address from a DHCP server; again, a nonroutable IP
I don't really think that theses are DOS attempts becuase there are so few
of them, and I don't think that they're scans targeted towards you, because
there would be no way for the data to get back to the scanner.
I really doubt that they are decoy scans from nmap, because the whole point
of using the decoy option in nmap is to obfuscate the IP address that is
actually scanning you by making it appear that the scan is coming from many
block these addresses from coming in your little router:
to be a good neighbor you should also block all that stuff from going out of
your router, too :) but you have such a small network that I wouldn't really
worry about it.
From: Marty Keane [mailto:mkeane89 at pacbell.net]
Sent: Tuesday, July 24, 2001 12:49 PM
To: dshield at dshield.org
Subject: [Dshield] incoming traffic from 192.168.0.1 ????
I'm new to the list so I hope I'm on target with my question. I'm using
router with the latest firmware with a windows 98 machine. I just
started logging my incoming
traffic to the firewall and recently found something very disturbing.
Hopefully there's a simple
explanation. Here are the entries AM (PST)
remote port local port
11:26:51 (first three entries)
11:27:19 (remaining entries)
My apologies if there is some other formal way of raising this issue,
but the fact that it's
an internal looking address has me concerned. I'm aware of the net-bios
issue with windows
machines and I've cloaked my router. One last note is that 192.168.0.1
my router's ip nor an ip of a machine on my LAN.
Any insight would be greatly appreciated! Right now I've got my LAN down
am afraid to bring it up until I know what's going on :-/
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list