I've got an outgoing connection on one of our firewalls to 169.254.98.x.
I thought this was the Class C that Microsoft assigns by default? The
outgoing connection is to the Lotus Notes port (destination port = 1352), so
that looks very suspicious. Should I be concerned about that?
--
Will
On Thu, 8 Feb 2007 21:13:48 -0800, Will wrote:
> I've got an outgoing connection on one of our firewalls to 169.254.98.x.
> I thought this was the Class C that Microsoft assigns by default? The
> outgoing connection is to the Lotus Notes port (destination port = 1352), so
> that looks very suspicious. Should I be concerned about that?
I would suspect plain old networking issues like dns or dhcp, possibly
a combination, spiced up with connectivity challenged workstations.
That destination address is not going anywhere past your ISP at best,
so I wouldnt loose sleep over this.
Anyhow, 169.254/16 are considered not routable (rfc 3927), so treat
it like rfc1918-addresses and drop it at the firewall.
--
New and exciting signature!
On Thu, 8 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
>I've got an outgoing connection on one of our firewalls to 169.254.98.x.
>I thought this was the Class C that Microsoft assigns by default?
3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
TXT=16200 bytes) (Status: INFORMATIONAL)
3927 Dynamic Configuration of IPv4 Link-Local Addresses. S. Cheshire,
B. Aboba, E. Guttman. May 2005. (Format: TXT=83102 bytes) (Status:
PROPOSED STANDARD)
A pair of RFCs that you can find with any search engine. 169.254.x.x
is used by windoze and Macintosh boxes when the DHCP server is not
handing out addresses. Briefly, in that case, your windoze box reaches
up it's a$$ and grabs a random address in the range 169.254.0.1 to
169.254.255.254 and uses that for local only network communications.
Any router should be silently discarding these packets as unroutable.
>The outgoing connection is to the Lotus Notes port (destination port
>= 1352), so that looks very suspicious.
No - just some user on your LAN trying to check his mail. If you
sniffed the packets, you may see his username.
>Should I be concerned about that?
If you are sure your DHCP server is correctly configured, then the
owner of the mis-configured computer on your LAN may come whining
to the hell-desk about the Internet being down. If you allow random
computers to connect to your LAN, you'll have to fix the broken
configuration - possibly a personal firewall on the b0rken box.
If you don't have a DHCP server, then either you have a visitor on your
wires, or one of your users has been dinking with the configuration of
his computer. Some network administrators frown on that.
Old guy