Security Incidents mailing list archives
Re: Strange Activity -- Help
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Wed, 21 Feb 2001 20:17:21 -0500
"Nanney, Jim" <JNanney () XETADEV COM> writes:
Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
^^^^^^^
192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
IP Protocol 2 is "igmp". (as opposed to TCP or UDP, for example) One consequence of this is that the port numbers given in the log line are meaningless. I don't quite know everything that igmp is used for, but one of the things it's used for is to announce to a router (via broadcast packets) "the machine at address xx.xx.xx.xx is willing to receive multicast IP packets destined for yy.yy.yy.yy" (Here, xx.xx.xx.xx == 192.168.100.1 and yy.yy.yy.yy == 224.0.0.1) Therefore, some machine on your local network is sending out igmp packets announcing that it is willing to receive multicast packets. For reasons I don't understand, many times when a windows machine needs to broadcast some sort of information, it will send out broadcast packets from all its IP addresses on all its interfaces, meaning that both the "private" and the "external" IP addresses will be used as source addresses for packets going out the external network interface. My guess then is that someone on your local segment has a windows machine that is equipped for multicast and that your machine is actually receiving broadcast packets from both the external address of this machine and the 192.168.* address, but is only logging the packets that were sent out from the 192.168.* address because they came from the "wrong" interface. So in short, this is nothing to worry about, and the behavior of the machine that is producing these packets is only minorly broken. You should adjust your firewall to ignore (ipchains rule DENY) igmp packets that are directed at multicast addresses, regardless of the source IP, and not log them. Nothing to see here, move along.
Can anyone correct my mistake if I am wrong or tell me what else may be causing these packets every 3 minutes? Also would it be worth sniffing and capturing the packet to look for other clues?
I suppose you could sniff for all igmp packets sent to your machine to confirm whether or not you are getting both the 192.168.* address and the cable-modem IP. However, if you do sniff, remember that you can't trust the ethernet address of packets sniffed off a cablemodem, so don't read anything into whether or not the broadcast address at the ethernet level appears to have been used. Also, once you confirm the false alarm, please follow up with your ISP's abuse department - I'd hate to see someone accused of probing when no such activity is going on.
Current thread:
- Strange Activity -- Help Nanney, Jim (Feb 21)
- Re: Strange Activity -- Help Crist Clark (Feb 21)
- Re: Strange Activity -- Help Daniel Martin (Feb 21)
- Re: Strange Activity -- Help Antonio Carlos Pina (Feb 22)