I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:46 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34102 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:16:00 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34114 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:16:40 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34139 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:16:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34149 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:16:47 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34152 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:17:05 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34175 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:17:07 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34178 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34181 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34183 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:17:16 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34188 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:17:49 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34210 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34243 PROTO=UDP <1>SPT=67 DPT=68 LEN=391 Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34248 PROTO=UDP <1>SPT=67 DPT=68 LEN=391 Aug 16 21:18:31 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34253 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34255 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34257 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34259 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:18:41 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34271 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:18:50 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34280 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:19:11 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34293 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:19:12 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34295 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:19:42 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34306 PROTO=UDP <1>SPT=67 DPT=68 LEN=328 Aug 16 21:19:51 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34315 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:20:53 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34359 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:21:04 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34361 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:21:25 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34385 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 08/16/12 9:06 PM, fred smith wrote:
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN.
this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ? if so, then yes, I imagine its something at your ISP, you might ask them what these are.
On 08/17/2012 12:20 AM, John R Pierce wrote:
the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN.
Yup looks like the ISP is checking to see who's on.
On 08/16/12 9:24 PM, Bobby wrote:
On 08/17/2012 12:20 AM, John R Pierce wrote:
the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN.
Yup looks like the ISP is checking to see who's on.
you might just try something like...
tcpdump -i eth0 -w udpdump.txt udp port 67 or udp port 68
and let that run for a few minutes, long enough to capture a few of these packets, then ctl-C it, and take that dumpfile and load it into wireshark (can do that on any system wireshark runs on) and see what it decodes the dhcp packets to actually be.
for instance, this is a DHCP 'renew' request (from the LAN side of my gateway)...
# tcpdump -i eth1 -vvv -n udp port 67 or udp port 68 tcpdump: listening on eth1 21:46:46.009596 192.168.0.136.bootpc > 192.168.0.1.bootps: xid:0x9fb275f6 C:192.168.0.136 [|bootp] (ttl 128, id 31970, len 339) 21:46:46.013544 192.168.0.1.bootps > 192.168.0.136.bootpc: xid:0x9fb275f6 C:192.168.0.136 Y:192.168.0.136 S:192.168.0.1 [|bootp] (ttl 64, id 16362, len 328)
2 packets received by filter 0 packets dropped by kernel
wireshark will do a much better job explaining the packets than tcpdump does.
On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
On 08/16/12 9:06 PM, fred smith wrote:
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
the MAC address prefix on that DHCP thing is 00:23:EB which is Cisco... and yes, ISP's frequently use private IP space for internal gateway networks. they aren't routable on the public internet, they don't have to be, they are just used for routes within the ISP's WAN.
this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ? if so, then yes, I imagine its something at your ISP, you might ask them what these are.
Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow.
thanks guys!
fred smith fredex@fcshome.stoneham.ma.us wrote:
On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ? if so, then yes, I imagine its something at your ISP, you might ask them what these are.
Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow.
I wouldn't bother.
Depending on the demarc equipment used by your ISP and how they have their network configured, you can wind up seeing this kind of crap and there's bugger-all that you can do about it
For example, with a cable modem, your assigned upstream segment might be network-A, but other people in your neighborhood might be on network-B, both serviced by the same RF carrier. You shouldn't see unicast traffic for your neighbors, but you could very well see broadcast (and dhcp is the most likely culprit). I know of a particular case where the ISP will assign statics out of one pool, dynamic IPs out of the other pool, a single modem will service machines out of both pools, and therefore you also see broadcast out of both pools.
This isn't specific to cable. With both cable and DSL providers I've seen both the only-see-your-own-traffic situation and the see-your-neighbors-broadcast situation. It all depends on the equipment and the configuration. And when I mean configuration, I'm talking about for everyone in your node, if not for your whole city. So it's unlikely that your ISP will change it just for you.
But if you still want to call them, fill your boots ...
Devin
On Fri, Aug 17, 2012 at 09:18:01PM -0600, Devin Reade wrote:
fred smith fredex@fcshome.stoneham.ma.us wrote:
On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
this is on your eth0 side, I'm assuming thats the WAN side of your firewall/gateway ? if so, then yes, I imagine its something at your ISP, you might ask them what these are.
Yup, that's the WAN side of the router. I'll go yell at them, probably tomorrow.
I wouldn't bother.
thanks for the info. I didn't really expect to get any swift action, I kinda figured "it is what it is, like it or lump it" would be their response. but I still might drop them an email with some log excerpts just to see how they respond. I'm retired, I have plenty of time! :)
Depending on the demarc equipment used by your ISP and how they have their network configured, you can wind up seeing this kind of crap and there's bugger-all that you can do about it
For example, with a cable modem, your assigned upstream segment might be network-A, but other people in your neighborhood might be on network-B, both serviced by the same RF carrier. You shouldn't see unicast traffic for your neighbors, but you could very well see broadcast (and dhcp is the most likely culprit). I know of a particular case where the ISP will assign statics out of one pool, dynamic IPs out of the other pool, a single modem will service machines out of both pools, and therefore you also see broadcast out of both pools.
This isn't specific to cable. With both cable and DSL providers I've seen both the only-see-your-own-traffic situation and the see-your-neighbors-broadcast situation. It all depends on the equipment and the configuration. And when I mean configuration, I'm talking about for everyone in your node, if not for your whole city. So it's unlikely that your ISP will change it just for you.
But if you still want to call them, fill your boots ...
Devin
He is a prime candidate for natural deselection.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 17 Aug 2012, fred smith wrote: *snip*
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
Any network problems, I run Wireshark network analyser in GUI mode. It helps identify issues on the network with meaningfull error and warning messages.
HTH
Keith
----------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------
On 08/16/2012 11:06 PM, fred smith wrote:
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium.
SPT=67 source port = BOOTP server DPT=68 dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast
On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
On 08/16/2012 11:06 PM, fred smith wrote:
On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
On 08/16/12 7:01 PM, fred smith wrote:
I'm getting a gazillion of these probes in my firewall logs. I don't understand what's going on here,... These all look like bootp requests from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the destination address... is it possible to send packets out onto the internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:14:45 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 Aug 16 21:15:08 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 ....
that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?.
John, I'm willing to believe that, but I don't know where it would be coming from... not to mention that 10.x.x.x isn't valid on my LAN, it's in the 192.168.x.x range. I guess I could go around disconnecting things and see where it's coming from. other than some PCs, there is a networked printer, a LaCie RAID-1 network storage box, and a Television, which is allegedly turned off (but as we all know you don't turn them off, really, at least some part is still "on"). last time I looked at the TV config it was properly configured in 192.168.x.x, but perhaps I should go downstairs and take another look.
... no, it's not the tv, I just unplugged its cat5 from the jack and the issue didn't stop.
weird.
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Any other thoughts?
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium.
SPT=67 source port = BOOTP server DPT=68 dest port = BOOTP client DST=255.255.255.255 dest address = Broadcast
that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate.
My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be.
The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not.
thanks for the reply!
On 08/18/2012 10:01 AM, fred smith wrote:
On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium.
SPT=67 source port = BOOTP server DPT=68 dest port = BOOTP client DST=255.255.255.255 dest address = Broadcastthat implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate.
My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be.
The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not.
thanks for the reply!
FWIW, I average about 9 of those per minute on my cable segment. That's 194000 packets counted by my own (non-logging!) iptables rule in the 15+ days this system has been up.
On Saturday, August 18, 2012 11:01:26 AM fred smith wrote:
On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
On 08/16/2012 11:06 PM, fred smith wrote:
hmm... just did traceroute 10.21.72.1 and it comes back as being a system at my ISP. that doesn't seem right to me. they shouldn't be broadcaasting such stuff, as far as I know, at least.
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address.
that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate.
Welcome to NAT444. Aka 'double-NAT' or 'carrier-grade NAT' where your connection's WAN port is further NATted at the ISP's border router, and the ISP itself is using RFC 1918 space and minimal publicly routable IP addresses.
There was a special IPv4 address block allocated for this purpose relatively recently; discussion can be found in the NANOG mailing list archives.....
-
Bobby -
Devin Reade -
fred smith -
John R Pierce -
Keith Roberts -
Lamar Owen -
Robert Nichols