|
|
Re: UDP 1434 - worm spoofing or not?: msg#00053security.vulnerabilities
On Sat, 25 Jan 2003, jai wrote: > Hi, > > Internet traffic of INDIA's and ASIA's network has been effected > badly.....its amazing....seriously microsoft sucks.. > but its fun !! :-) > > Well i found something new in this ... i think this worm spoofs IP address > according ....below is the > tcpdump output ..out which the host is ....169.254.198.47. sending repeated > packets to different network... Hold on a second here. According to the specification for DHCP (I think - can anyone quote chapter and verse, and/or RFC?), 169.254.0.0/16 is reserved for DHCP clients that don't get a lease. Is it possible that this is not deliberate spoofing per se, but a DHCP-enabled infected machine that someone plugged into your non-DHCP network? Since the traffic is UDP, it wouldn't necessarily matter that it's spoofed for the purposes of worm propagation. Has everybody got their egress filtering working ? :) Glenn Forbes Fleming Larratt Rice University Network Management glratt@xxxxxxxx ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users@xxxxxxxxxxxxxxxxxxxxx Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: UDP 1434: 00053, Steven Rudolph |
|---|---|
| Next by Date: | SQL Sapphire Worm Analysis: 00053, Marc Maiffret |
| Previous by Thread: | Re: UDP 1434i: 00053, jai |
| Next by Thread: | Re: UDP 1434 - worm spoofing or not?: 00053, kris carlier |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |