On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.