Lately I get strange hits from They are usually TCP packets directed at port 2053, 2088 or something else in the 20xx range. WTF?

That host does not respond to pings. I tried hitting it on various ports in the 2k+ range with netcat, but the machine simply does not seem to exist. It’s either a spoffed IP or a very well cloaked system.

This is what I get from a whois query:

Szaman2@grendel ~
$ whois

OrgName: Internet Assigned Numbers Authority
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: -
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
Comment: Please see RFC 3330 for additional
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned
Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned
Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2005-12-06 19:10
# Enter ? for additional hints on searching ARIN's
# WHOIS database.

Any clue why I get these hits 2-3 times a day?

Further investigation gave me this:

From RFC 3330 – This is the “link local” block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.

So a lost node that can’t obtain IP from a DHCP will get assigned a 169.254.x.x address. Question is, why do I get packets from that address bouncing against my firewall? Misconfigured node on the network maybe? Very strange.


One Response to “”

  1. http://femmemenagebordeaux.wordpress.com Says:

    Superb, what a weblog it is! This website presents valuable facts to us, keep it up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: