[Dshield] Repeated spoofed address attempts

Henriksen, Ron RHENRIKSEN at wintrust.com
Wed May 8 15:43:39 GMT 2002


You have a workstation that is not getting a IP address from your DHCP
server. What you are seeing is Microsoft auto IP addressing kicking in. A
workstation that can't lease a IP address does a local ARP request on that
local segment to find who has auto assigned address and then it picks one of
the 169.0.0.0 IP for it self. That's what the 169.254.255.255 broadcast is
doing. Test it bring up one of you workstations up with the network cable
attached. Then use "IPconfig" or "Winipcfg" to view the local IP address.

-----Original Message-----
From: Stigers, David [mailto:dstigers at KACO.org]
Sent: Wednesday, May 08, 2002 9:36 AM
To: 'list at dshield.org'
Subject: [Dshield] Repeated spoofed address attempts


Yesterday our network firewall (Watchguard Firebox II) intercepted several
thousand attempts from spoofed addresses. Does anyone know why this would be
happening or how I would attempt to locate the "mis"-user doing this. Now
they did not get through on these attempts...or at least they all were
denied. I have not been able to configure snort to work on our system
correctly so I'll only post a few of the logs in the Watchguard format.
These ran for 303 pages of logs (approx. 6000+ attempts). Oddly enough, this
is not our ip address (the second one) and I know this is just a ping back
from an email site or at least that is what I thought it was.
Any input would be appreciated.


05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.164.183
169.254.255.255 137 137 (spoofed source address)
05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.164.183
169.254.255.255 137 137 (spoofed source address)


 
 "Patience and perseverance have a magical effect before
    which difficulties disappear and obstacles vanish."
          - John Quincy Adams
________________________________________ 
David E. Stigers 
IT Manager 
KY Association of Counties 
 
________________________________________ 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


******************************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you received this email in error please return it to the sender.




More information about the list mailing list