[Dshield] Repeated spoofed address attempts

Bruce Lilly blilly at erols.com
Wed May 8 17:57:02 GMT 2002


> Subject: [Dshield] Repeated spoofed address attempts
> Date: Wed, 8 May 2002 10:35:55 -0400
> From: "Stigers, David" <dstigers at KACO.org>
> 
> Yesterday our network firewall (Watchguard Firebox II) intercepted several
> thousand attempts from spoofed addresses. Does anyone know why this would be
> happening or how I would attempt to locate the "mis"-user doing this. Now
> they did not get through on these attempts...or at least they all were
> denied. I have not been able to configure snort to work on our system
> correctly so I'll only post a few of the logs in the Watchguard format.
> These ran for 303 pages of logs (approx. 6000+ attempts). Oddly enough, this
> is not our ip address (the second one) and I know this is just a ping back
> from an email site or at least that is what I thought it was.
> Any input would be appreciated.
> 
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
> 169.254.255.255 137 137 (spoofed source address)

<snip>

It's a Microsoft Windows machine looking for a DHCP server.

That's what happens when a Windows box is not configured with
either a static IP address or a specified existing DHCP server.

See draft-ietf-dhc-ipv4-autoconfig-05.txt.




More information about the list mailing list