[Dshield] incoming traffic from ????

Billy Becker Billy.Becker at isd-corp.com
Fri Jul 27 02:56:52 GMT 2001

These packets are most likely accidental connections from clueless windows
users somewhere else on your ISP. I say this because they are all looking
for port 137, and becuase of the 169.254.XXX.XXX addresses. I'm not sure
what kind of firewalling you can do on your little router, but see if you
can set it up to block all of the nonroutable addresses.

the funny about about spoofing the source address is that you will never see
the data come back to you, cause the source is spoofed, and cause the source
is technically "nonroutable". so if someone was scanning you, then it would
have to be from somewhere in your ISP, and your ISP would have to route
192.168.XXX.XXX internally, and they could hunt down the offender and make
him stop. 

the 169.254.XXX.XXX is the ip address windows gives a DHCP client that
hasn't gotten an ip address from a DHCP server; again, a nonroutable IP

I don't really think that theses are DOS attempts becuase there are so few
of them, and I don't think that they're scans targeted towards you, because
there would be no way for the data to get back to the scanner.

I really doubt that they are decoy scans from nmap, because the whole point
of using the decoy option in nmap is to obfuscate the IP address that is
actually scanning you by making it appear that the scan is coming from many
different hosts. 

block these addresses from coming in your little router:

to be a good neighbor you should also block all that stuff from going out of
your router, too :) but you have such a small network that I wouldn't really
worry about it.


-----Original Message-----
From: Marty Keane [mailto:mkeane89 at pacbell.net]
Sent: Tuesday, July 24, 2001 12:49 PM
To: dshield at dshield.org
Subject: [Dshield] incoming traffic from ????

Hello all,

I'm new to the list so I hope I'm on target with my question. I'm using
the linksys
router with the latest firmware with a windows 98 machine. I just
started logging my incoming
traffic to the firewall and recently found something very disturbing.
Hopefully there's a simple
explanation. Here are the entries AM (PST)

remote addr
remote port                local port

11:26:51  (first three entries)
137                            137
137                            137
137                            137

11:27:19 (remaining entries)
137                            137
137                            137
137                            137
137                            137
137                            137

My apologies if there is some other formal way of raising this issue,
but the fact that it's
an internal looking address has me concerned. I'm aware of the net-bios
issue with windows
machines and I've cloaked my router. One last note is that
is neither
my router's ip nor an ip of a machine on my LAN.

Any insight would be greatly appreciated! Right now I've got my LAN down
and I
am afraid to bring it up until I know what's going on :-/


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010726/9f28f3b5/attachment.htm

More information about the list mailing list