Security Incidents mailing list archives
Re: IP fw-in deny spam in logs
From: paul () XTDNET NL (Paul Wouters)
Date: Fri, 14 Apr 2000 01:30:34 +0200
On Thu, 13 Apr 2000, Erich Meier wrote:
Apr 11 04:04:42 HostnameRemoved kernel: IP fw-in deny eth0 UDP 127.0.0.1:68 +255.255.255.255:67 L=276 S=0x00 I=60857 F=0x0000 T=128
This smells like a simple DHCP or BOOTP request. It comes from localhost port bootp client (68) and goes to local broadcast port bootp server (67).
I'll admit I haven't kept up with my RFC's but since when do clients request an IP address through dhcp or bootpd with address 127.0.0.1? I thought the whole point was that they didn't have one yet (and use 0.0.0.0 :) It seems to me, something actually took and is using 127.0.0.1 on that network. And it's very likely to be on the local cable, because 127.0.0.1 is quite difficult to route around the net. Out or curiosity, what does "arp -a -i eth0" give you for 127.0.0.1? Paul Wouters Xtended Internet -- Broerdijk 27 Postbus 170 Tel: 31-24-360 39 19 6523 GM Nijmegen 6500 AD Nijmegen Fax: 31-24-360 19 99 The Netherlands The Netherlands info () xtdnet nl
Current thread:
- IP fw-in deny spam in logs Jason Baker (Apr 11)
- Weird Ports on NT box Maniac . (Apr 12)
- Re: Weird Ports on NT box Joe McAlerney (Apr 13)
- Re: Weird Ports on NT box Klaus Moeller (Apr 14)
- dsnhack.pl --ooops Roelof Temmingh (Apr 13)
- Re: IP fw-in deny spam in logs Erich Meier (Apr 13)
- Re: IP fw-in deny spam in logs Paul Wouters (Apr 13)
- Weird Ports on NT box Maniac . (Apr 12)