[Dshield] W2K domain controller scans

Ryan J Betz ryanb at maumeepattern.com
Tue Oct 30 20:24:28 GMT 2001


Ryan J Betz wrote:

>> Lately I've been seeing my W2K DC trying to connect to what appears to be
a
>> reserved IP address:
>>
>> Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 PROTO=6
>> 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44492 F=0x4000 T=127
>> (#38)
>
>
>Likely cause:
>
>169.254.x.x is what MS uses for DHCP client that cannot connect to a
>DHCP server.
>
>It looks like somebody fired up their computer with the network cable
>unplugged, then later plugged it in. Your routes point 169.254.x.x out
>to the Internet.
>
>The solution is to reboot whoever's generating that IP address.

That's what I thought initially.  Funny thing about that is I don't use DHCP
at all.  None of the clients run it, and there isn't a DCHP server running.
I frequently sift through the logs of my local subnet firewall between
192.168.0.X and 192.168.1.X and I never see any broadcast DHCP requests.
Maybe it's just a stray and I have to look deeper into it.  This didn't seem
to be happening until I added another NIC to the DC with an IP address on
192.168.1.X.

Thanks again for all the help,
Ryan J Betz





More information about the list mailing list