RE: source LAN port 137 dest 169.x

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 07/30/03

  • Next message: Max Harvey: "RE: 2 NIC's on same network, possible?" 
    To: "'Darren Gragg'" <admin@bsbks.com>, <security-basics@securityfocus.com>
Date: Tue, 29 Jul 2003 16:18:04 -0700

      I would bet that you have one or more (Windows) machines on
    your local network that are failing to get a response from a
    DHCP server when they need one. When that happens, they assign
    themselves a random address in the 169.254.x.x/16 block.
      They then proceed to advertise their presence via NetBIOS,
    with a broadcast to UDP port 137. Other Windows machines see
    the broadcast, and attempt to respond to it.
      Having determined that the source address is not supposed to
    be on the local 172.x.x.x subnet, these responding hosts are
    directing their responses by way of the gateway address. They'll
    be dropped at the point where something recognizes that 169.254.x.x
    is a bogon and not a routable destination.

    David Gillett
      

    > -----Original Message-----
    > From: Darren Gragg [mailto:admin@bsbks.com]
    > Sent: July 29, 2003 08:33
    > To: security-basics@securityfocus.com
    > Subject: source LAN port 137 dest 169.x
    >
    >
    > I am seeing some UDP packets showing up in my logs as being
    > dropped that
    > have a source of 172 my local subnet with a port of 137 and a
    > destination of
    > a 169.xxx.xxx.xxx address with a port of 137. what would
    > that destination
    > be telling me? Any ideas? Thanks very much in advance
    >
    > Darren Gragg
    > Network Administrator
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Max Harvey: "RE: 2 NIC's on same network, possible?"

    Relevant Pages

    • Re: SPAM (was: affiliate program program wedding program weight loss program gr
      ... just a spoofed alternate response ... I would suggest not using Outlook ... These machines can be driven by their 'owners' ... >If you have to use Windows then do not use Outlook Express or Outlook, ...
      (comp.lang.cobol)
    • Re: Problem Sharing some Folders
      ... But Windows XP machines will not share Documents and Settings ... folder on every computer, but i have problem sharing some folder on my ... when it's a normal response from experience. ...
      (microsoft.public.windowsxp.network_web)
    • Getting Device Type ??
      ... I am pinging few devices in a range and I get response from few of ... Out of them few are Windows NT machines and only one is Pocket PC ... Can ping response alone help me differentiate? ...
      (microsoft.public.pocketpc.developer)
    • How to Get type of Device : very interesting
      ... I am pinging few devices in a range and I get response from few of ... Out of them few are Windows NT machines and only one is Pocket PC ... Can ping response alone help me differentiate? ...
      (microsoft.public.pocketpc.developer)
    • Re: Network is unreachable, please help <---Solved!
      ... machines on the local network. ... I can now ping these two Windows ...
      (comp.os.linux.networking)