[Dshield] Repeated spoofed address attempts

Stephane Grobety security at admin.fulgan.com
Wed May 8 15:41:15 GMT 2002


Hello David,

Sorry, I was a bit quick to send...

The addresses you are seeing is "reserved" for PHCP autoconfig
clients (when they have failed to get an address, they must pick an
address that is within the 169.254/16 address space).

What it probably is is win98/NT/MacOS clients that have gotten a negative
answer from your internal DHCP server and that are trying to auto-pick
an IP address. They are calling to the broadcast address in order to
get the NetBIOS information of your machines and your FW is
(correctly) picking them as "spoofed".

Now, I'm not 100% sure about is what you can do to get the machine
that has the problem. First, check your DHCP server states and logs.
Maybe you can find the error condition there and fix it at the server.
otherwise, I'm afraid you'll have to get the MAC of these packets and
follow them to their source.

Good luck,
Stephane




Wednesday, May 8, 2002, 4:35:55 PM, you wrote:

SD> Yesterday our network firewall (Watchguard Firebox II) intercepted several
SD> thousand attempts from spoofed addresses. Does anyone know why this would be
SD> happening or how I would attempt to locate the "mis"-user doing this. Now
SD> they did not get through on these attempts...or at least they all were
SD> denied. I have not been able to configure snort to work on our system
SD> correctly so I'll only post a few of the logs in the Watchguard format.
SD> These ran for 303 pages of logs (approx. 6000+ attempts). Oddly enough, this
SD> is not our ip address (the second one) and I know this is just a ping back
SD> from an email site or at least that is what I thought it was.
SD> Any input would be appreciated.


SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.164.183
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.164.183
SD> 169.254.255.255 137 137 (spoofed source address)


 

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list