[Snort-users] UDP 1434 - worm spoofing or not?

Gianluca Marcari gmarcari at ...3033...
Sat Jan 25 12:51:05 EST 2003


From: "Glenn Forbes Fleming Larratt" <glratt at ...604...>

>  Hold on a second here.
>
>  According to the specification for DHCP (I think - can anyone
>  quote chapter and verse, and/or RFC?), 169.254.0.0/16 is reserved
>  for DHCP clients that don't get a lease.

I agree. That's APIPA (Automatic Private IP Addressing) kicking in: it gives
you an address in that range when it is configured for DHCP but cannot find
a DHCP server.

>  Is it possible that this is not deliberate spoofing per se,
>  but a DHCP-enabled  infected machine that someone plugged into
>  your non-DHCP network? Since the traffic is UDP, it wouldn't
>  necessarily matter that it's spoofed for the purposes of worm
>  propagation.

I would agree except for one single thing: if the client didn't find a DHCP
server, and had to revert to APIPA, how did it find the router's address, to
send packets out onto the 'net? :-)

>  Has everybody got their egress filtering working ? :)

I didn't even try to touch the Snort rulebase - just added a quick'n dirty
"deny udp any any eq 1434" on my border router's ACL


> Glenn Forbes Fleming Larratt
> Rice University Network Management
> glratt at ...604...

Ciao
Gianluca Marcari





More information about the Snort-users mailing list