169.254.101.152

Lately I get strange hits from 169.254.101.152. They are usually TCP packets directed at port 2053, 2088 or something else in the 20xx range. WTF?

That host does not respond to pings. I tried hitting it on various ports in the 2k+ range with netcat, but the machine simply does not seem to exist. It’s either a spoffed IP or a very well cloaked system.

This is what I get from a whois query:


Szaman2@grendel ~
$ whois 169.254.101.152

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional
information.
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned
Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned
Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2005-12-06 19:10
# Enter ? for additional hints on searching ARIN's
# WHOIS database.

Any clue why I get these hits 2-3 times a day?

Further investigation gave me this:

From RFC 3330 169.254.0.0/16 – This is the “link local” block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.

So a lost node that can’t obtain IP from a DHCP will get assigned a 169.254.x.x address. Question is, why do I get packets from that address bouncing against my firewall? Misconfigured node on the network maybe? Very strange.

This entry was posted in uncategorized archives. Bookmark the permalink.



One Response to 169.254.101.152

  1. Jim UNITED STATES Internet Explorer Windows says:

    I received the same thing–EZ Firewall popped up with a request for a new network connection 169.254.0.0. I did not allow it permission and have not noticed any impact on my network. Thank you for sharing what you have found!

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>