[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Inbound UDP

digno asuncion digno at pacific.net.ph
Tue Oct 25 18:45:07 EDT 2005 

Please delete me from your address book.
----- Original Message ----- 
From: "Mike Easter" <MikeE at ster.invalid>
Newsgroups: spamcop.help
To: "digno asucnion" <digno at pacific.net.ph>
Sent: Tuesday, October 25, 2005 10:45 AM
Subject: [SC-Help] Re: Inbound UDP


> Fred K. wrote:
>> I got this and am wondering what to do besides nothing.
>>
>>
>> 10/24/2005 2:11:55 PM,"Rule ""Default Block Bla Trojan horse"" blocked
>> (169.254.249.73,1042).","Rule ""Default Block Bla Trojan horse""
> 
> Many so-called software or personal 'firewalls' 'name' something [Bla
> Trojan horse] by some kind of characteristic, such as the port 1042,
> which isn't necessarily or even likely specific.
> 
> There's a real problem with my using a term like 'firewall' which has
> one kind of popular usage about software which is unacceptable to
> firewall professionals.  They want that term to refer to a seriously
> competent hardware based firewall which has also been 'officially'
> tested by an approved firewall 'agency'.   They aren't even happy about
> hardware NAT devices and other 'homemade' linux firewall boxen being
> called 'firewalls'.
> 
> Thus anytime you or 'we'  use the term, I/we/you should either get into
> some long ezplanation of what is really meant, or not use the term at
> all.
> 
> Like 'bounce' - which means such widely disparate things that its
> ambiguity makes it useless without a definition of the meaning of the
> term in the actual context in which it is used.
> 
> Back to your alleged 'firewall' information....
> 
>> blocked (169.254.249.73,1042).  Inbound UDP packet.   Local
>> address,service is (localhost,1042).  Remote address,service is
>> (169.254.249.73,1042).  Process name is ""N/A""."
>>
>> NetRange:   169.254.0.0 - 169.254.255.255
> 
> That family of IPs is non-routable because IANA sez this in RFC 3330:
> 
> // 169.254.0.0/16 - This is the "link local" block.  It is allocated for
> communication between hosts on a single link.  Hosts obtain these
> addresses by auto-configuration, such as when a DHCP server may not be
> found. //
> 
> Since I *hate* to read RFCian, I can't really tell you what those words
> mean.
> 
> But, all my WallWatcher who is keeping logs for my NAT device would do
> with that information would be to compile it in its logs, the NAT would
> block the ingress, and my WallWatcher to DShield program would
> automatically send the information to DShield to be compiled with the
> over 1 billion reports which are submitted to DShield each month.
> 
>> Is Blachole compromised?
> 
> Anything is possible, but I doubt it.
> 
>> what significance does ",1042" at the end of
>> the IP have?
> 
> That's the port;  neohapsis db calls that udp and tcp probe 'BLAtrojan'
> which is what your firewall is telling you.
> 
> It is also afrog subnet roaming according to IANA.
> 
> 
> -- 
> Mike Easter
> kibitzer, not SC admin
> 
> _______________________________________________
> SpamCop-Help mailing list
> SpamCop-Help at news.spamcop.net
> http://news.spamcop.net/mailman/listinfo/spamcop-help
>

More information about the SpamCop-Help mailing list