Terminally Incoherent

Utterly random, incoherent and disjointed rants and ramblings...

Wednesday, December 07, 2005

Lately I get strange hits from They are usually TCP packets directed at port 2053, 2088 or something else in the 20xx range. WTF?

That host does not respond to pings. I tried hitting it on various ports in the 2k+ range with netcat, but the machine simply does not seem to exist. It's either a spoffed IP or a very well cloaked system.

This is what I get from a whois query:

Szaman2@grendel ~
$ whois

OrgName: Internet Assigned Numbers Authority
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: -
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
Comment: Please see RFC 3330 for additional
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned
Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned
Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2005-12-06 19:10
# Enter ? for additional hints on searching ARIN's
# WHOIS database.

Any clue why I get these hits 2-3 times a day?

Further investigation gave me this:

From RFC 3330 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.

So a lost node that can't obtain IP from a DHCP will get assigned a 169.254.x.x address. Question is, why do I get packets from that address bouncing against my firewall? Misconfigured node on the network maybe? Very strange.


Post a Comment

Links to this post:

Create a Link

<< Home