Re: DHCP or Probe?

[John Sage <jsage () finchhaven com>]

Clint: 

On Thu, Mar 11, 2004 at 10:50:12AM -0600, Clint Bodungen wrote:
> From: "Clint Bodungen" <clint () secureconsulting com>
> To: <incidents () securityfocus com>
> Subject: Re: DHCP or Probe?
> Date: Thu, 11 Mar 2004 10:50:12 -0600
>
> I'm getting the following traffic about every second to my cable modem
> (My IP, not a broadcast address.  UDP packets looking for port
> 67... 

*For* 67, or *from* 67?

To 68, I'll bet.

(That it's to your IP is weird..)

> but from a "10 dot" address.  Is this the typical chatty Roadrunner
> DHCP probes or is it a worm probe?  The reason I find this odd is
> because the source address here is from a "10 dot" class A.  I'm not
> on PTP... I have a public address... so this is either from a
> spoofed address, a misconfiguration by one of my cable modem
> neighbors, or worse... a misconfiguration by RR.
>
> Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]

I'm on cable with ComCast.

In its full glory, I'll bet what you're seeing may be like this. It's
bootp stuff; I block it completely to no apparent harm.


Mar 12 04:06:33 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=29839 PROTO=UDP
 SPT=67 DPT=68 LEN=355

Mar 12 04:10:32 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=335 TOS=0x00 PREC=0x00 TTL=255 ID=30133 PROTO=UDP
 SPT=67 DPT=68 LEN=315

Mar 12 04:11:40 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30216 PROTO=UDP
 SPT=67 DPT=68 LEN=355

Mar 12 04:16:46 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30576 PROTO=UDP
 SPT=67 DPT=68 LEN=355

Mar 12 04:21:51 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=30907 PROTO=UDP
 SPT=67 DPT=68 LEN=355

Mar 12 04:26:55 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=31259 PROTO=UDP
 SPT=67 DPT=68 LEN=355

Mar 12 04:31:59 greatwall kernel: Block: udp: IN=eth0 OUT=
 MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6e:xx:yy:08:00 SRC=10.130.176.1
 DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=255 ID=31617 PROTO=UDP
 SPT=67 DPT=68 LEN=355

/* snip */



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------