From: Arnt K. <ar...@c2...> - 2003-07-09 14:16:09
|
On Wed, 9 Jul 2003 11:15:24 +0100, "Matt Dale" <mat...@nt...> wrote in message <001901c34603$034dc360$0a00a8c0@dale>: > Yesterday, I picked up two of these: > 12:12:02 input eth0 UDP 169.254.158.219 137(NETBIOS-NS) > 169.254.255.255 137(NETBIOS-NS) > > > > For a start, I should even be seeing that as I have this line in > /etc/rc.d/rc.firewall.up: > > ipchains -A input -p UDP -i $RED_DEV --destination-port 137 -j DENY ..which obsolete ipcop? Current ipcop 1.3.x uses iptables. > However, I suspect the reason I am seeing it is because of the > destination address. > > My networking protocol knowlege isn't "all that", but if I recall > correctly, something sent to x.x.x.255 is a broadcast right? ..often is, but by all means do all checks. > Ok, which would be fair enough if I was in that subnet. > > Or, for that matter, if my red IP even had the same STARTING digit > (without giving away my entire IP, it starts 81.102.x.x - the NTL ISP > range in the UK). > > > > So can someone explain how on earth my IPCop box is picking up what > looks like a bulk netbios attack on an IP range no-where near mine? > > Is this some advanced use of IP spoofing or what? ..ssh in and run tcpdump on your red wire, 'tcpdump --help' for the wee details. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. |