[Snort-users] UDP 1434 - worm spoofing or not?
gmarcari at ...3033...
Sat Jan 25 12:51:05 EST 2003
From: "Glenn Forbes Fleming Larratt" <glratt at ...604...>
> Hold on a second here.
> According to the specification for DHCP (I think - can anyone
> quote chapter and verse, and/or RFC?), 169.254.0.0/16 is reserved
> for DHCP clients that don't get a lease.
I agree. That's APIPA (Automatic Private IP Addressing) kicking in: it gives
you an address in that range when it is configured for DHCP but cannot find
a DHCP server.
> Is it possible that this is not deliberate spoofing per se,
> but a DHCP-enabled infected machine that someone plugged into
> your non-DHCP network? Since the traffic is UDP, it wouldn't
> necessarily matter that it's spoofed for the purposes of worm
I would agree except for one single thing: if the client didn't find a DHCP
server, and had to revert to APIPA, how did it find the router's address, to
send packets out onto the 'net? :-)
> Has everybody got their egress filtering working ? :)
I didn't even try to touch the Snort rulebase - just added a quick'n dirty
"deny udp any any eq 1434" on my border router's ACL
> Glenn Forbes Fleming Larratt
> Rice University Network Management
> glratt at ...604...
More information about the Snort-users