169.254.101.152
Lately I get strange hits from 169.254.101.152. They are usually TCP packets directed at port 2053, 2088 or something else in the 20xx range. WTF?
That host does not respond to pings. I tried hitting it on various ports in the 2k+ range with netcat, but the machine simply does not seem to exist. It's either a spoffed IP or a very well cloaked system.
This is what I get from a whois query:
Szaman2@grendel ~
$ whois 169.254.101.152
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional
information.
RegDate: 1998-01-27
Updated: 2002-10-14
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned
Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned
Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2005-12-06 19:10
# Enter ? for additional hints on searching ARIN's
# WHOIS database.
Any clue why I get these hits 2-3 times a day?
Further investigation gave me this:
From RFC 3330 169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.
So a lost node that can't obtain IP from a DHCP will get assigned a 169.254.x.x address. Question is, why do I get packets from that address bouncing against my firewall? Misconfigured node on the network maybe? Very strange.
0 Comments:
Post a Comment
<< Home