Security Incidents mailing list archives
Re: DHCP or Probe?
From: John Sage <jsage () finchhaven com>
Date: Fri, 12 Mar 2004 10:13:24 -0800
Clint: On Thu, Mar 11, 2004 at 10:50:12AM -0600, Clint Bodungen wrote:
From: "Clint Bodungen" <clint () secureconsulting com> To: <incidents () securityfocus com> Subject: Re: DHCP or Probe? Date: Thu, 11 Mar 2004 10:50:12 -0600 I'm getting the following traffic about every second to my cable modem (My IP, not a broadcast address. UDP packets looking for port 67...
*For* 67, or *from* 67? To 68, I'll bet. (That it's to your IP is weird..)
but from a "10 dot" address. Is this the typical chatty Roadrunner DHCP probes or is it a worm probe? The reason I find this odd is because the source address here is from a "10 dot" class A. I'm not on PTP... I have a public address... so this is either from a spoofed address, a misconfiguration by one of my cable modem neighbors, or worse... a misconfiguration by RR. Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet - Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address] Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet - Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address] Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet - Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address] Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet - Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
I'm on cable with ComCast. In its full glory, I'll bet what you're seeing may be like this. It's bootp stuff; I block it completely to no apparent harm. Mar 12 04:06:33 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=29839 PROTO=UDP SPT=67 DPT=68 LEN=355 Mar 12 04:10:32 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=335 TOS=0x00 PREC=0x00 TTL=255 ID=30133 PROTO=UDP SPT=67 DPT=68 LEN=315 Mar 12 04:11:40 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30216 PROTO=UDP SPT=67 DPT=68 LEN=355 Mar 12 04:16:46 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30576 PROTO=UDP SPT=67 DPT=68 LEN=355 Mar 12 04:21:51 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30907 PROTO=UDP SPT=67 DPT=68 LEN=355 Mar 12 04:26:55 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=31259 PROTO=UDP SPT=67 DPT=68 LEN=355 Mar 12 04:31:59 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=31617 PROTO=UDP SPT=67 DPT=68 LEN=355 /* snip */ - John -- "Mad cow? You'd be mad too, if someone was trying to eat you." --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Re: DHCP or Probe? Clint Bodungen (Mar 11)
- Re: DHCP or Probe? Eric Peek (Mar 11)
- Re: DHCP or Probe? Daniel Hanson (Mar 12)
- Re: DHCP or Probe? Clint Bodungen (Mar 12)
- Re: DHCP or Probe? Daniel Hanson (Mar 12)
- Re: DHCP or Probe? John Sage (Mar 12)
- Re: DHCP or Probe? Clint Bodungen (Mar 12)
- Re: DHCP or Probe? Eric Peek (Mar 11)