On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote: > On 08/16/2012 11:06 PM, fred smith wrote: > > On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote: > >> On 08/16/12 7:01 PM, fred smith wrote: > >>> I'm getting a gazillion of these probes in my firewall logs. I don't > >>> understand what's going on here,... These all look like bootp requests > >>> from 10.21.72.1, to 255.255.255.255. > >>> > >>> there's certainly no 10.x.x.x here on this network, and I don't get the > >>> destination address... is it possible to send packets out onto the > >>> internet addressed like that? > >>> > >>> whois doesn't turn up anything on 10.21.72.1. > >>> > >>> Anybody got suggestions on how I'd track this down? > >>> > >>> Thanks! > >>> > >>> > >>> Aug 16 21:13:59 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 > >>> Aug 16 21:14:45 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 > >>> Aug 16 21:15:08 kernel: DROP<4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00<1>SRC=10.21.72.1 DST=255.255.255.255<1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP<1>SPT=67 DPT=68 LEN=308 > >>> .... > >> > >> that looks like DHCP requests. maybe there's some piece of network gear > >> on your gateway LAN thats trying to get autoconfigured?. > > > > John, I'm willing to believe that, but I don't know where it would be > > coming from... not to mention that 10.x.x.x isn't valid on my LAN, > > it's in the 192.168.x.x range. I guess I could go around disconnecting > > things and see where it's coming from. other than some PCs, there is a > > networked printer, a LaCie RAID-1 network storage box, and a Television, > > which is allegedly turned off (but as we all know you don't turn them > > off, really, at least some part is still "on"). last time I looked at > > the TV config it was properly configured in 192.168.x.x, but perhaps > > I should go downstairs and take another look. > > > > ... no, it's not the tv, I just unplugged its cat5 from the jack and > > the issue didn't stop. > > > > weird. > > > > hmm... just did traceroute 10.21.72.1 and it comes back as being a > > system at my ISP. that doesn't seem right to me. they shouldn't be > > broadcaasting such stuff, as far as I know, at least. > > > > Any other thoughts? > > Those are BOOTP responses from your ISP's DHCP server to clients requesting > an IP address. They have to be broadcast because the client does not yet > have an IP address. Go yell at whoever set up your firewall to log these > harmless packets that are a necessary part of dynamic IPv4 address > assignment on a shared medium. > > SPT=67 source port = BOOTP server > DPT=68 dest port = BOOTP client > DST=255.255.255.255 dest address = Broadcast that implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate. My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be. The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not. thanks for the reply! -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- "Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of heaven, but only he who does the will of my Father who is in heaven." ------------------------------ Matthew 7:21 (niv) -----------------------------