169.254.101.152

Lately I get strange hits from 169.254.101.152. They are usually TCP packets directed at port 2053, 2088 or something else in the 20xx range. WTF?

That host does not respond to pings. I tried hitting it on various ports in the 2k+ range with netcat, but the machine simply does not seem to exist. It's either a spoffed IP or a very well cloaked system.

This is what I get from a whois query:


Szaman2@grendel ~
$ whois 169.254.101.152

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional
information.
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned
Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned
Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2005-12-06 19:10
# Enter ? for additional hints on searching ARIN's
# WHOIS database.



Any clue why I get these hits 2-3 times a day?

Further investigation gave me this:

From RFC 3330 169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.

So a lost node that can't obtain IP from a DHCP will get assigned a 169.254.x.x address. Question is, why do I get packets from that address bouncing against my firewall? Misconfigured node on the network maybe? Very strange.

Tags: ip, internet, firewall, hit, attack, question, 169.254.101.152, strange ip