Help! DSL connection went down today, check out this log entry.....

[skyking]

I have a client with a 4 computer office and a webserver, using an smc barricade 7004vbr.
They did not want to spring for something more robust, and up till now, it was not a problem.
I was able to restore the connection with a reset, but only temporarily. It was brought down again, and this was in the smc logs at a time corresponding with each connection failure.

Datagram redirected, if=WAN, dst=169.254.250.XXX,
src=206.253.193.XX

the source is in an ISP out of Minnesota. Is this some sort of buffer overflow, or magic packet attack on that router?

The connection is fine now. I have put the question to smc tech support, but I'd like to run it by you folks also.

EDIT: I will return after a full research of the server logs also.

 

[Oaf357]

Any other log entries from that source? Did anything inside the network actually communicate with that source? There really isn't a whole lot of information here to base an opinion on let alone an idea.

Tell us more, please.

 

[skyking]

That was just the router log. I'll be back with the server log, I just wondered if it was a familiar looking thing.

 

[Oaf357]

Too generic.

 

[skyking]

Nothing at all in the server logs, so I guess I'm out of luck.

 

[Lord Evermore]

The block 169.254.0.0 to 169.254.255.255 is reserved by the IANA which controls IP address usage. However, Microsoft uses this as its random network auto-assignment block. If you set a computer with Windows to automatically get an IP address, but it can't find a DHCP server, it will pick an IP from part of this block, on the assumption that all other computers on your LAN will also choose an IP within the same block, making a valid network but one that would require NAT for Internet access.

I assume that the internal network is using something like 192.168.x.x for IP space.

Very very few pages or newsgroup messages on google with any mention of 'datagram redirected', so I'm not sure exactly what happened. One newsgroup post related to the user somehow ending up as a routing point for all the other cable modem customers in his area whenever he used an SMC 7004FW. There were no responses to his message though.

As best I can tell, a packet coming from that source IP got to the router, but had a destination address of one of the IP's that Microsoft uses for it's default assignments. It may or may not have been intended to target any machines which had been configured with these default IPs. But to even get to your router, it would have had to be encapsulated differently from a standard packet, because the original destination needed to be your router's interface address, and then the router would remove the encapsulation to find the 169.254 address as the "real" destination.

Is there a VPN running on the network? Or are the VPN capabilities enabled in the router? I don't know if it was really an attack, or possibly some badly configured computer on the other end maybe. It may be an attempt to try to get direct access to a computer behind the router in the hope that it's configured with MS's defaults.

It's very odd that this would end up crashing the router or bringing down the DSL interface. Were there any other entries in the router's logs? Or possibly a separate log containing the firewall information?

 

[skyking]

No, I have a freebsd server running apache2.03, sendmail, and popper, and none of the logs reveal anything interesting for that time period.
That was the kind of info I was looking for. I am still waiting to hear from smc. this will be my first attempt at getting help from them, we shall see how it goes.