Security Incidents mailing list archives
RE: Strange SNMP probes suddenly appearing
From: "Graeme Fowler" <graeme.fowler () hosteurope com>
Date: Thu, 11 Dec 2003 13:59:58 -0000
Hi On 03 December 2003 02:23, Jeff Kell wrote:
After finally getting an ethereal trace of traffic from the faulty address (a machine using an Apple Airport) I found the following:
<snip>
Almost immediately afterward is a UDP packet from that machine to the router on port udp/192. It contains 4 bytes of text, 0x08 0x01 0x03 0x10.
<snip>
So, "something" is amiss here. I'm just not sure I understand it all. But we have the symptoms nailed down, we'll have to see about the cure. Does this ring any bells with anyone that is AirPort knowledgeable? Since these were "rogue installs" by the department, they look like they would be great clay pigeons for skeet shooting, but perhaps they can be more productive.
A quick scout of Apple's tech info library gave up the following documents: http://docs.info.apple.com/article.html?artnum=106439 "This document lists TCP and UDP ports used by Apple software products <snip> UDP Port Service 192 AirPort Base Station PPP status or discovery (certain configurations)" Interesting. So the Airport Base Station can toddle off and do some sort of discovery - in my experience (with other discovery devices), it'll start with its' default router to see what it can find and will then poll the local LAN, or followup anything interesting it might find via the initial probe. Presumably, in these cases, the AirPort base station is configured to get an IP address via DHCP and then do local NAT for wireless devices which connect through it. http://docs.info.apple.com/article.html?artnum=107220 Decribes how to turn off SNMP on the "WAN" port of a dual ethernet base station. I'd surmise that the use of the word "WAN" here means "Wired LAN" :) ...and then I go a-googling, and find: http://sourceforge.net/docman/display_doc.php?docid=12&group_id=7489 describing the discovery modes of the base station itself using port 192. Having read around the subject over the last half hour or so, I'd say that the base stations in their default, plug'n'go state, are trying to discover a management station from which they can download their configuration. The AirPort management software does its' magic via SNMP (so it seems!) so it wouldn't surprise me, with Apple's move towards automagic configuration of desktops and servers from the OSX Server environment, that this is not nefarious activity - it's by design, and (like many other scenarios) it's default behaviour which should be switched off before plugging the devices into a LAN. Hope that helps, at least a little. Regards Graeme Fowler -- Technical Services Host Europe PLC --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange SNMP probes suddenly appearing Jeff Kell (Dec 03)
- <Possible follow-ups>
- Re: Strange SNMP probes suddenly appearing jcanaves (Dec 10)
- RE: Strange SNMP probes suddenly appearing Graeme Fowler (Dec 11)