[Dshield] 169.254.14.0 Attacks other sites?

Rob Webb PacketHunter at comcast.net
Fri Jan 7 14:00:59 GMT 2005


Scott,

1.  You need to find out of your router(s) have proxy ARP enable.  Most do
by default.  This will allow them to answer for any IP that they have a
destination route to.  Disable proxy ARP!  That way, systems receiving an
APIPA (Automatic Private IP Address/169.254.x.x) will not be able to route
off their local broadcast domain.

2.  It is possible (and quite probable) that every system defaults to the
same APIPA address first.  It will test this address on its local broadcast
domain (by issuing an ARP for itself), and then use it if no one else is
claiming it.  Remember, this is only on the local broadcast domain...so
these addresses are not tested on different networks...making it entirely
possible for the same IP to exist on multiple networks.

3.  UDP 137 is used by WINS.  If these systems have an application (or
operating system) running that requires name resolution, they will attempt
to resolve using WINS.  Why they would be going out to various Internet IP
addresses to do so I'm not sure.  It may be that they have the IP already in
their system (hard-coded) somewhere and are simply attempting WINS's version
of a reverse lookup.

Disable Proxy ARP first and see if this changes the "look & feel" of this
event.

--Rob 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Scott Melnick
Sent: Thursday, January 06, 2005 8:58 PM
To: General DShield Discussion List
Subject: [Dshield] 169.254.14.0 Attacks other sites?

After reviewing my firewall logs, I have noticed some very strange activity.
I want to see if anyone else has seen this.

I am noticing that the address 169.254.14.0 (a failed Microsoft DHCP
address) and only this address is trying to send UDP port 137 packets to
many different Internet IP addresses. My firewall does not let it go out
because it's an invalid address on my internal network, but it's filling up
my log and will probably start clogging my wan lines soon.

 

I hooked up a snort box on a span port before my firewall and captured some
packets (see below). I noticed that the MAC address is from my site to site
Frame relay router. I go on the router and do a source-track on the IP and
see it coming from 18 of my sites.

 

 

I am thinking this is a virus/worm that is spoofing it's address because:

1. If it was a machine that didn't receive a DHCP address how did it make it
to the default Gateway and hop over here to the central office?

2. It's coming from multiple sites and the invalid address happens to be
identical on every one.

3. It's targeting multiple systems on the internet UDP 137.

 

Here is a snip of the packet: Anyone have any idea's? 

 

[**] 169 Detected [**]

01/06-20:21:26.153339 169.254.14.0:137 -> <internet ip here>:137

UDP TTL:127 TOS:0x0 ID:16430 IpLen:20 DgmLen:78 Len: 50

0x0000: 00 03 E3 E5 3B 52 00 0B 45 24 6D BC 08 00 45 00 ....;R..E$m...E.

0x0010: 00 4E 40 2E 00 00 7F 11 1B 0F A9 FE 0E 00 CE 87 .N at .............

0x0020: 59 DC 00 89 00 89 00 3A 4B 7D 94 4F 00 00 00 01 Y......:K}.O....

0x0030: 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41               ......
CKAAAAAAA

0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

0x0050: 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

 

Thanks,

 

Scott Melnick

DS Waters

Security Engineer

smelnick at water.com <mailto:smelnick at water.com> 

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list