[Dshield] W2K domain controller scans

John Sage jsage at finchhaven.com
Tue Oct 30 16:29:33 GMT 2001


Ryan:

Very interesting.

I've recently seen very much the same coming *in* on my firewall, a 
169.254.x.x source IP to port 139 intermixed with traffic from a 
legitimate IP, to both ports 139 and 445 ms-ds:

<snort snip>

[**] [1:0:0] TCP to 445 Win2k SMB [**]
10/24-21:58:09.538614 211.222.101.141:2605 -> 12.82.134.123:445
TCP TTL:115 TOS:0x0 ID:15296 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349490FE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:09.548672 211.222.101.141:2655 -> 12.82.134.123:139
TCP TTL:115 TOS:0x0 ID:15297 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349562E2  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:09.608660 169.254.104.244:2806 -> 12.82.134.123:139
TCP TTL:114 TOS:0x0 ID:15344 IpLen:20 DgmLen:48 DF
******S* Seq: 0x34B9A0AE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:12.458877 211.222.101.141:2655 -> 12.82.134.123:139
TCP TTL:115 TOS:0x0 ID:16045 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349562E2  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 445 Win2k SMB [**]
10/24-21:58:12.468930 211.222.101.141:2605 -> 12.82.134.123:445
TCP TTL:115 TOS:0x0 ID:16046 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349490FE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:12.558977 169.254.104.244:2806 -> 12.82.134.123:139
TCP TTL:114 TOS:0x0 ID:16082 IpLen:20 DgmLen:48 DF
******S* Seq: 0x34B9A0AE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:18.469541 211.222.101.141:2655 -> 12.82.134.123:139
TCP TTL:115 TOS:0x0 ID:16735 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349562E2  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 445 Win2k SMB [**]
10/24-21:58:18.479531 211.222.101.141:2605 -> 12.82.134.123:445
TCP TTL:115 TOS:0x0 ID:16736 IpLen:20 DgmLen:48 DF
******S* Seq: 0x349490FE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1414 NOP NOP SackOK

[**] [1:0:0] TCP to 137-139 netBIOS [**]
10/24-21:58:18.559546 169.254.104.244:2806 -> 12.82.134.123:139
TCP TTL:114 TOS:0x0 ID:16738 IpLen:20 DgmLen:48 DF
******S* Seq: 0x34B9A0AE  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

</snort snip>

Do I have an explanation? Not really. As Win2K and XP (erk..) become 
more prevalent, I suspect we'll see more aberant packets flitting about...

You seem to be filtering these 169.254.x.x packets on egress; that's the 
best we can hope for, except to hope that someday *everyone* will be 
keeping these from escaping.


- John


Ryan J Betz wrote:

> Lately I've been seeing my W2K DC trying to connect to what appears to be a
> reserved IP address:
> 
> Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 PROTO=6
> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44492 F=0x4000 T=127
> (#38)
> Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 PROTO=6
> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44519 F=0x4000 T=127
> (#38)
> Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 PROTO=6
> 192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 I=44520 F=0x4000 T=127
> (#38)
> Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 PROTO=6
> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44548 F=0x4000 T=127
> (#38)
> Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 PROTO=6
> 192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 I=44549 F=0x4000 T=127
> (#38)



<snip-a-lot>




More information about the list mailing list