On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
On 08/16/2012 11:06 PM, fred smith wrote:
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium.
SPT=67 source port = BOOTP server DPT=68 dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast
that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate.
My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be.
The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not.
thanks for the reply!