![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help] Re: Inbound UDP
Mike Easter
MikeE at ster.invalid
Mon Oct 24 20:45:57 EDT 2005
Fred K. wrote:
> I got this and am wondering what to do besides nothing.
>
>
> 10/24/2005 2:11:55 PM,"Rule ""Default Block Bla Trojan horse"" blocked
> (169.254.249.73,1042).","Rule ""Default Block Bla Trojan horse""
Many so-called software or personal 'firewalls' 'name' something [Bla
Trojan horse] by some kind of characteristic, such as the port 1042,
which isn't necessarily or even likely specific.
There's a real problem with my using a term like 'firewall' which has
one kind of popular usage about software which is unacceptable to
firewall professionals. They want that term to refer to a seriously
competent hardware based firewall which has also been 'officially'
tested by an approved firewall 'agency'. They aren't even happy about
hardware NAT devices and other 'homemade' linux firewall boxen being
called 'firewalls'.
Thus anytime you or 'we' use the term, I/we/you should either get into
some long ezplanation of what is really meant, or not use the term at
all.
Like 'bounce' - which means such widely disparate things that its
ambiguity makes it useless without a definition of the meaning of the
term in the actual context in which it is used.
Back to your alleged 'firewall' information....
> blocked (169.254.249.73,1042). Inbound UDP packet. Local
> address,service is (localhost,1042). Remote address,service is
> (169.254.249.73,1042). Process name is ""N/A""."
>
> NetRange: 169.254.0.0 - 169.254.255.255
That family of IPs is non-routable because IANA sez this in RFC 3330:
// 169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not be
found. //
Since I *hate* to read RFCian, I can't really tell you what those words
mean.
But, all my WallWatcher who is keeping logs for my NAT device would do
with that information would be to compile it in its logs, the NAT would
block the ingress, and my WallWatcher to DShield program would
automatically send the information to DShield to be compiled with the
over 1 billion reports which are submitted to DShield each month.
> Is Blachole compromised?
Anything is possible, but I doubt it.
> what significance does ",1042" at the end of
> the IP have?
That's the port; neohapsis db calls that udp and tcp probe 'BLAtrojan'
which is what your firewall is telling you.
It is also afrog subnet roaming according to IANA.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-Help
mailing list