[Dshield] W2K domain controller scans

Fitton, Robert "Bob" BFitton at laborready.com
Tue Oct 30 18:36:40 GMT 2001


Filtering them on egress is excellent, but this might also indicate that
packets from 169.254.x.x have gotten IN to your DC port 139, and you are
blocking the replies.  Ingress blocking of the 169.254.x.x source
addresses would add another line of defense.

Bob

>Ryan:
>
>Very interesting.
>
>I've recently seen very much the same coming *in* on my firewall, a 
>169.254.x.x source IP to port 139 intermixed with traffic from a 
>legitimate IP, to both ports 139 and 445 ms-ds:
>
><snort snip>
[snort snip snipped]
></snort snip>
>
>Do I have an explanation? Not really. As Win2K and XP (erk..) become 
>more prevalent, I suspect we'll see more aberant packets 
>flitting about...
>
>You seem to be filtering these 169.254.x.x packets on egress; that's
the 
>best we can hope for, except to hope that someday *everyone* will be 
>keeping these from escaping.
>
>
>- John
>
>
>Ryan J Betz wrote:
>
>> Lately I've been seeing my W2K DC trying to connect to what 
>appears to be a
>> reserved IP address:
>> 
>> Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 PROTO=6
>> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44492 
>F=0x4000 T=127
>> (#38)
>> Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 PROTO=6
>> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44519 
>F=0x4000 T=127
>> (#38)




More information about the list mailing list