Re: DHCP or Probe?

[Daniel Hanson <dhanson () securityfocus com>]

I just wanted to respond as no one else has... perhaps it's just me and my
somewhat limited understanding of cable network architecture, but if this
is the cable modem renewing it's DHCP, it should not be sending the DHCP
requests to the public IP on this user's computer.

> From what has been posted so far, it seems that this is a
misconfiguration, but it is an interesting one. Anyone else have ideas?

Cheerio
D


On Thu, 11 Mar 2004, Eric Peek wrote:

> Roadrunner assigns your cable modem a 10 dot address even though your host
> is assigned a public IP. No reason to waste public IP addresses.  Your cable
> modem only needs to talk to Roadrunner's network so it does not need a
> routable address.  This is more than likely your cable modem renewing its IP
> address from your local CMTS which is forwarding DHCP requests to its CNR
> server.
>
> How often is it happening?  Is it constant or just ever few hours?
>
> Nothing to worry about though.
>
> Eric
>
> ----- Original Message -----
> From: "Clint Bodungen" <clint () secureconsulting com>
> To: <incidents () securityfocus com>
> Sent: Thursday, March 11, 2004 11:50 AM
> Subject: Re: DHCP or Probe?
>
>
> >  I'm getting the following traffic about every second to my cable modem
> (My
> > IP,
> > not a broadcast address.  UDP packets looking for port 67... but from a
> "10
> > dot"
> > address.  Is this the typical chatty Roadrunner DHCP probes or is it a
> worm
> > probe?
> > The reason I find this odd is because the source address here is from a
> "10
> > dot" class A.
> > I'm not on PTP... I have a public address... so this is either from a
> > spoofed address,
> > a misconfiguration by one of my cable modem neighbors, or worse... a
> > misconfiguration by RR.
> >
> > Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> >
> >
> >
> >
> >
> > --------------------------------------------------------------------------
> -
> > Free 30-day trial: firewall with virus/spam protection, URL filtering,
> VPN,
> > wireless security
> >
> > Protect your network against hackers, viruses, spam and other risks with
> Astaro
> > Security Linux, the comprehensive security solution that combines six
> > applications in one software solution for ease of use and lower total cost
> of
> > ownership.
> >
> > Download your free trial at
> > http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> > --------------------------------------------------------------------------
> --
> >
>
>
> ---------------------------------------------------------------------------
> Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other risks with Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and lower total cost of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------