[Dshield] W2K domain controller scans
Ryan J Betz
ryanb at maumeepattern.com
Tue Oct 30 20:24:28 GMT 2001
Ryan J Betz wrote:
>> Lately I've been seeing my W2K DC trying to connect to what appears to be
>> reserved IP address:
>> Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 PROTO=6
>> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44492 F=0x4000 T=127
>169.254.x.x is what MS uses for DHCP client that cannot connect to a
>It looks like somebody fired up their computer with the network cable
>unplugged, then later plugged it in. Your routes point 169.254.x.x out
>to the Internet.
>The solution is to reboot whoever's generating that IP address.
That's what I thought initially. Funny thing about that is I don't use DHCP
at all. None of the clients run it, and there isn't a DCHP server running.
I frequently sift through the logs of my local subnet firewall between
192.168.0.X and 192.168.1.X and I never see any broadcast DHCP requests.
Maybe it's just a stray and I have to look deeper into it. This didn't seem
to be happening until I added another NIC to the DC with an IP address on
Thanks again for all the help,
Ryan J Betz
More information about the list