Re: Common occurrence in my logs

From: James W. Abendschan (jwaat_private)
Date: Thu Apr 12 2001 - 21:57:15 PDT

Next message: John: "Re: Am I Under Attack?"

Previous message: Portnoy, Gary: "Two questions"
Next in thread: Igor Gashinsky: "Re: Common occurrence in my logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Apr 2001, Greg Williamson wrote:
> I run a RH 7 based firewall at home, using ipchains to actually control the
> firewalling.  The internet connection is cable using Telstra BigPond.  Since
> about day 1, I have been getting rejected packets wich show up like this:
>
> Apr 12 08:58:54 faran kernel: Packet log: eth1i DENY eth1 PROTO=17 10.0.44.1:67
> 255.255.255.255:68 L=372 S=0x00 I=9522 F=0x0000 T=255 (#41)

[ .. ]

> The question is, does anyone know what this actually is?  Any ideas on how to
> get to the source and get whoever is doing it to stop would be welcome too.
> Last night it basically went sick (roughly a packet per second), and filled up a
> fair amount of log space.  I can set my config up to drop and not log these, but
> I'd still like to know what and why, and preferably get it stopped.

The frequency of connections would suggest it's a device of some sort,
though getting a packet per second seems like a *broken* device.
bootp is a network-boot protocol; a device that wants to boot up across
a network will issue a broadcast bootpc request until a bootp server
answers with the server IP address and a filename containing a boot
boot image for the device.  The device then downloads the file via tftp
and executes it.

It may be your cable modem -- a DSL modem I came across (don't recall the
vendor) issued regular bootpc broadcasts, presumably looking for updates
(scary).  What happens when you ping/traceroute to 10.0.44.1?  Can you
hit it with telnet or http?  If you unplug the "cable" cable but leave the
ethernet connection to your fw, can you still ping it / do you still get
bootpc requests?

A valid bootpc request packet "must" have the ethernet address of the
originating client (this is used by the bootp server to figure out which
boot image to serve up), so if you capture the packet w/ tcpdump you can grab
the ethernet address, which may be illuminating.

A question I never had an opportunity to answer: what happens if someone
answers the bootpc request?  "Here you go, your tftp server is x.x.x.x, go
grab my nifty boot image that will make you catch fire!"

James

Next message: John: "Re: Am I Under Attack?"
Previous message: Portnoy, Gary: "Two questions"
Next in thread: Igor Gashinsky: "Re: Common occurrence in my logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:21:50 PDT