Re: Strange Activity -- Help

[Daniel Martin <dtmartin24 () HOME COM>]

"Nanney, Jim" <JNanney () XETADEV COM> writes:

> Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
                                                                 ^^^^^^^
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)

IP Protocol 2 is "igmp".  (as opposed to TCP or UDP, for example)  One
consequence of this is that the port numbers given in the log line are
meaningless.

I don't quite know everything that igmp is used for, but one of the
things it's used for is to announce to a router (via broadcast
packets) "the machine at address xx.xx.xx.xx is willing to receive
multicast IP packets destined for yy.yy.yy.yy" (Here, xx.xx.xx.xx ==
192.168.100.1 and yy.yy.yy.yy == 224.0.0.1)

Therefore, some machine on your local network is sending out igmp
packets announcing that it is willing to receive multicast packets.
For reasons I don't understand, many times when a windows machine
needs to broadcast some sort of information, it will send out
broadcast packets from all its IP addresses on all its interfaces,
meaning that both the "private" and the "external" IP addresses will
be used as source addresses for packets going out the external network
interface.

My guess then is that someone on your local segment has a windows
machine that is equipped for multicast and that your machine is
actually receiving broadcast packets from both the external address of
this machine and the 192.168.* address, but is only logging the
packets that were sent out from the 192.168.* address because they
came from the "wrong" interface.

So in short, this is nothing to worry about, and the behavior of the
machine that is producing these packets is only minorly broken.  You
should adjust your firewall to ignore (ipchains rule DENY) igmp
packets that are directed at multicast addresses, regardless of the
source IP, and not log them.  Nothing to see here, move along.

> Can anyone correct my mistake if I am wrong or tell me what else may be
> causing these packets every 3 minutes?  Also would it be worth sniffing and
> capturing the packet to look for other clues?

I suppose you could sniff for all igmp packets sent to your machine to
confirm whether or not you are getting both the 192.168.* address and
the cable-modem IP.  However, if you do sniff, remember that you can't
trust the ethernet address of packets sniffed off a cablemodem, so
don't read anything into whether or not the broadcast address at the
ethernet level appears to have been used.

Also, once you confirm the false alarm, please follow up with your
ISP's abuse department - I'd hate to see someone accused of probing
when no such activity is going on.