[Dshield] Re: Strange SNMP probes suddenly appearing

*Hobbit* hobbit at avian.org
Tue Dec 2 21:05:37 GMT 2003


The UDP stuff is that "rendezvous" stuff that macos X does by default.
It is a side effect of someone leaving their mac's wireless card turned
on but which hasn't associated with an access-point yet, so if they're
connected to a hardwired ethernet that's the only valid route anywhere
so the rendezvous packets get sent out there.  Someone else can probably
describe it much better than this, but at first blush it's "mostly
harmless".

If you have an organizational policy that people who connect to your
wired LAN *must* turn off their wireless cards to mitigate the risk
that someone with a rogue AP will let them associate and hand them
some bogus address and then capture all their traffic, you can watch
for who's sending the UDP crap and go remind them of such policy.
Consistent enforcement will get people more used to the idea of
thinking "okay, where am I right now and what's my network picture
supposed to look like" and taking appropriate actions.

Can't explain the SNMP stuff, but it wouldn't surprise me that
something called "rendezvous" tries everything it can to learn more
about its surroundings, and if that involves getting information
from what it thinks is a local router, that's another thing to try.

_H*




More information about the list mailing list