Attempted connection to APIPA Address

Seeing some strange activity from 3 of our exchange servers and one DC (A
global catalog server) all Windows Server 2003.

Firewall logs are showing multiple blocked attempted connections to the
internet by servers to mainly APIPA addresses - over multiple different
ports. i.e.

Source: DC
Service: TCP 1270 (ports always varies)
Destination: 169.254.241.60 (address always varies but is usually APIPA).

When running port reporter, netstat, or TCPView on offending servers -
traffic can not be seen...

Initially considered spoofing but firewall was able to determine correct MAC
address of NIC.

Anyone ever seen this or anything like it?

Hello Shawn,

The easiest and recommended way for servers with multiple NIC's which are
not teamed or in use is to disable then. Also i assume the apipa will sometimes
try to reach a DHCP server, which can declare the traffic also to the internet.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> Seeing some strange activity from 3 of our exchange servers and one DC
> (A global catalog server) all Windows Server 2003.
>
> Firewall logs are showing multiple blocked attempted connections to
> the internet by servers to mainly APIPA addresses - over multiple
> different ports. i.e.
>
> Source: DC
> Service: TCP 1270 (ports always varies)
> Destination: 169.254.241.60 (address always varies but is usually
> APIPA).
> When running port reporter, netstat, or TCPView on offending servers -
> traffic can not be seen...
>
> Initially considered spoofing but firewall was able to determine
> correct MAC address of NIC.
>
> Anyone ever seen this or anything like it?
>

Hello Meinolf Weber,

Reread my posting and have to change from DHCP server to DNS server which
i mean.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> Hello Shawn,
>
> The easiest and recommended way for servers with multiple NIC's which
> are not teamed or in use is to disable then. Also i assume the apipa
> will sometimes try to reach a DHCP server, which can declare the
> traffic also to the internet.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
>> Seeing some strange activity from 3 of our exchange servers and one
>> DC (A global catalog server) all Windows Server 2003.
>>
>> Firewall logs are showing multiple blocked attempted connections to
>> the internet by servers to mainly APIPA addresses - over multiple
>> different ports. i.e.
>>
>> Source: DC
>> Service: TCP 1270 (ports always varies)
>> Destination: 169.254.241.60 (address always varies but is usually
>> APIPA).
>> When running port reporter, netstat, or TCPView on offending servers
>> -
>> traffic can not be seen...
>> Initially considered spoofing but firewall was able to determine
>> correct MAC address of NIC.
>>
>> Anyone ever seen this or anything like it?
>>