Incident 02-20-02 05:45am

Now, this is a weird one..

Actually, probes to the range of 137-139 aren't that unusual.

netbios-ns      137/tcp         #NETBIOS Name Service
netbios-ns      137/udp         #NETBIOS Name Service
netbios-dgm     138/tcp         #NETBIOS Datagram Service
netbios-dgm     138/udp         #NETBIOS Datagram Service
netbios-ssn     139/tcp         #NETBIOS Session Service
netbios-ssn     139/udp         #NETBIOS Session Service

For the most part, they are ill-configured Window$ boxes that are looking for hosts via netBIOS, outward onto the Internet during bootup. (They should only be looking within their local network neighborhood.)

But this is the first time I've seen something like this...

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

snort:


Feb 20 05:45:44 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 169.254.121.26:137 -> 12.82.128.114:137

Feb 20 05:45:44 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 211.228.134.118:137 -> 12.82.128.114:137

Feb 20 05:45:45 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 211.228.134.118:137 -> 12.82.128.114:137

Feb 20 05:45:45 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 169.254.121.26:137 -> 12.82.128.114:137

So basically you've got two widely separated hosts doing netBIOS nameservice requests of me, on my dynamic IP address, simultaneously.

What's the full snort log?

02/20-05:45:44.299243 169.254.121.26:137 -> 12.82.128.114:137
UDP TTL:111 TOS:0x0 ID:55568 IpLen:20 DgmLen:78
Len: 58
24 35 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  $5.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/20-05:45:44.319230 211.228.134.118:137 -> 12.82.128.114:137
UDP TTL:110 TOS:0x0 ID:55569 IpLen:20 DgmLen:78
Len: 58
24 37 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  $7.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/20-05:45:45.799431 211.228.134.118:137 -> 12.82.128.114:137
UDP TTL:110 TOS:0x0 ID:55572 IpLen:20 DgmLen:78
Len: 58
24 39 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  $9.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/20-05:45:45.809445 169.254.121.26:137 -> 12.82.128.114:137
UDP TTL:111 TOS:0x0 ID:55573 IpLen:20 DgmLen:78
Len: 58
24 3B 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  $;.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

<snip>

That $;..........CKAAAAAAAAAAAAAAAAAAAAAAAAAA..! stuff looks like normal (if that's the word..) M$ netBIOS stuff..

OK... Whois these guys? (heh..)

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

IANA (NETBLK-LINKLOCAL)
   Internet Assigned Numbers Authority
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6695
   US    

Netname: LINKLOCAL
   Netblock: 169.254.0.0 - 169.254.255.255    

Coordinator:
      Internet Corporation for Assigned Names and Numbers  (IANA-ARIN)  res-ip@iana.org
      (310) 823-9358    

Domain System inverse mapping provided by: 
   BLACKHOLE-1.IANA.ORG192.0.32.18
   BLACKHOLE-2.IANA.ORG192.0.32.19

hmm.. the BLACKHOLE-1.IANA.ORG192.0.32.18 DNS notation usually means that the IP range is assigned to some private, non-routable usage...

Netname: LINKLOCAL?

Off to google...

Here's one reference at www.ietf.org

"This document describes a method by which a host may automatically
   configure an interface with an IPv4 address in the 169.254/16 prefix
   that is valid for link-local communication on that interface. This
   is especially valuable in environments where no other configuration
   mechanism is available.

2.5 Link-Local Addresses Are Not Forwarded

   Any host sending an IPv4 packet with a source and/or destination
   address in the 169.254/16 prefix MUST set the TTL in the IP header
   to 255.    Any host receiving an IPv4 packet whose source and/or destination
   address is in the 169.254/16 prefix MUST discard the packet if the
   TTL in the IP header is not 255. 

   This is to guard against misconfigured routers which may allow
   packets to leak in from outside the local link. Since even the most
   dysfunctional router will decrement the TTL in the IP header, a host
   receiving a packet with a TTL less than 255 can detect that it
   originated outside the local link. 

   An IPv4 packet whose source and/or destination address is in the
   169.254/16 prefix MUST NOT be sent to any router for forwarding, and
   any network device receiving such a packet MUST NOT forward it,
   regardless of the TTL in the IP header.

(My emphasis)

So that's a little puzzling: how did these 169.254.121.26-sourced packets *get* here?

Maybe too many routers are not configured properly for such "modern" stuff...

And look at the TTL's of all of 'em: 111 for the 211.228.x.x's and 110 for the 169.254.x.x's -- if these were legitimate packets, shouldn't they have decremented from 255?

145 hops? I don't think so...

Here's another reference, at Micro$oft..

"In Windows Me, you can use the Automatic Private IP Addressing feature of Transmission Control Protocol/Internet Protocol (TCP/IP) to assign a unique Internet protocol (IP) address to a network adapter. This may be useful if you have a small network that does not have a DHCP server. With automatic private IP addressing, you can assign a unique IP address to your network adapter by using the LINKLOCAL network IP address space. LINKLOCAL network addresses always begin with the numbers 169.254 and have the following format:

169.254.X.X

"LINKLOCAL network addresses are used only for private, internal addresses,and are not valid for host computers that are "visible" on the Internet. They cannot be used for computers that are linked by Internet Connection Sharing (ICS)."

"With automatic IP addressing, the IP address can be configured automatically. This method decreases administration time and means that IP addresses can be reused. Also, this method is recommended for all sizes of networks that do not have a direct Internet connection or available DHCP service."

OK, and interspersed with the 169.254.x.x's were 211.228.134.118-sourced packets. Whois dat? BW whois 2.9 by Bill Weinman (http://whois.bw.org/) © 1999-2001 William E. Weinman % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html % (whois7.apnic.net) inetnum: 211.226.0.0 - 211.231.255.255 netname: KORNET descr: KOREA TELECOM descr: KOREA TELECOM Internet Operating Center country: KR admin-c: DL276-AP tech-c: WK81-AP remarks: ****************************************** remarks: Allocated to KRNIC Member. remarks: If you would like to find assignment remarks: information in detail please refer to remarks: the KRNIC Whois Database at: remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** # ENGLISH IP Address : 211.228.128.0-211.228.139.255 Network Name : KORNET-XDSL-KUMI Connect ISP Name : KORNET Connect Date : 20010602 Registration Date : 20010604 [ Organization Information ] Orgnization ID : ORG201037 Org Name : KUMI NODE State : KYONGBUK Address : 48 SONGJEONGDONG KUMISI Zip Code : 730-090 [ Admin Contact Information] Name : GilSoon Park Org Name : KOREA TELECOM State : SEOUL Address : 128-9 Youngundong Chongroku Zip Code : 110-460 Phone : +82-2-747-9213 Fax : +82-2-766-5901 E-Mail : gspark@kornet.net [ Technical Contact Information ] Name : Won Kang Org Name : KOREA TELECOM State : SEOUL Address : 128-9 Youngundong Chongroku Zip Code : 110-460 Phone : +82-2-747-9213 Fax : +82-2-766-5901 E-Mail : ip@ns.kornet.net OK: I don't mean to be weird, but a *lot* of funky stuff comes out of Korea... ...so is this just netBIOS/Micro$oft-linklocal weirdness, or Here's more... Feb 20 05:45:47 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:45:47 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:45:48 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:45:48 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:45:50 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:45:50 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:45:51 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:45:51 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:19 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:19 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:21 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:21 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:22 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:22 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:24 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:24 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:25 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 Feb 20 05:50:25 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:27 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 169.254.121.26:137 -> 12.82.128.114:137 Feb 20 05:50:27 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP} 211.228.134.118:137 -> 12.82.128.114:137 ipchains for the entire event: Feb 20 05:45:44 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55568 F=0x0000 T=111 (#26) Feb 20 05:45:44 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55569 F=0x0000 T=110 (#26) Feb 20 05:45:45 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55572 F=0x0000 T=110 (#26) Feb 20 05:45:45 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55573 F=0x0000 T=111 (#26) Feb 20 05:45:47 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55579 F=0x0000 T=111 (#26) Feb 20 05:45:47 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55580 F=0x0000 T=110 (#26) Feb 20 05:45:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55583 F=0x0000 T=111 (#26) Feb 20 05:45:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55584 F=0x0000 T=110 (#26) Feb 20 05:45:50 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55587 F=0x0000 T=110 (#26) Feb 20 05:45:50 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55588 F=0x0000 T=111 (#26) Feb 20 05:45:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=55592 F=0x0000 T=111 (#26) Feb 20 05:45:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=55593 F=0x0000 T=110 (#26) Feb 20 05:50:19 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56507 F=0x0000 T=111 (#26) Feb 20 05:50:19 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56508 F=0x0000 T=110 (#26) Feb 20 05:50:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56512 F=0x0000 T=110 (#26) Feb 20 05:50:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56513 F=0x0000 T=111 (#26) Feb 20 05:50:22 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56518 F=0x0000 T=111 (#26) Feb 20 05:50:22 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56519 F=0x0000 T=110 (#26) Feb 20 05:50:24 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56523 F=0x0000 T=111 (#26) Feb 20 05:50:24 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56524 F=0x0000 T=110 (#26) Feb 20 05:50:25 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56526 F=0x0000 T=110 (#26) Feb 20 05:50:25 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56527 F=0x0000 T=111 (#26) Feb 20 05:50:27 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 169.254.121.26:137 12.82.128.114:137 L=78 S=0x00 I=56532 F=0x0000 T=111 (#26) Feb 20 05:50:27 greatwall kernel: Packet log: input DENY ppp0 PROTO=17 211.228.134.118:137 12.82.128.114:137 L=78 S=0x00 I=56533 F=0x0000 T=110 (#26) jsage@finchhaven.com Last modified: Thu Feb 21 21:15:39 2002