[Snort-users] UDP 1434 - worm spoofing or not?

Glenn Forbes Fleming Larratt glratt at ...604...
Sat Jan 25 11:41:02 EST 2003


On Sat, 25 Jan 2003, jai wrote:

> Hi,
>
>  Internet traffic of  INDIA's and ASIA's network has been effected
> badly.....its amazing....seriously microsoft sucks..
>  but its fun !! :-)
>
> Well i found something new in this ... i think this worm spoofs IP address
> according ....below is the
> tcpdump output ..out which the host is ....169.254.198.47. sending repeated
> packets to different network...

 Hold on a second here.

 According to the specification for DHCP (I think - can anyone
 quote chapter and verse, and/or RFC?), 169.254.0.0/16 is reserved
 for DHCP clients that don't get a lease.

 Is it possible that this is not deliberate spoofing per se,
 but a DHCP-enabled  infected machine that someone plugged into
 your non-DHCP network? Since the traffic is UDP, it wouldn't
 necessarily matter that it's spoofed for the purposes of worm
 propagation.

 Has everybody got their egress filtering working ? :)

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...





More information about the Snort-users mailing list