[CentOS] OT: what are all these probes from my firewall log????

fred smith fredex at fcshome.stoneham.ma.us
Fri Aug 17 04:06:37 UTC 2012 

On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
> On 08/16/12 7:01 PM, fred smith wrote:
> > I'm getting a gazillion of these probes in my firewall logs. I don't
> > understand what's going on here,... These all look like bootp requests
> > from 10.21.72.1, to 255.255.255.255.
> >
> > there's certainly no 10.x.x.x here on this network, and I don't get the
> > destination address... is it possible to send packets out onto the
> > internet addressed like that?
> >
> > whois doesn't turn up anything on 10.21.72.1.
> >
> > Anybody got suggestions on how I'd track this down?
> >
> > Thanks!
> >
> >
> > Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > ....
> 
> that looks like DHCP requests.  maybe there's some piece of network gear 
> on your gateway LAN thats trying to get autoconfigured?.

John, I'm willing to believe that, but I don't know where it would be
coming from... not to mention that 10.x.x.x isn't valid on my LAN,
it's in the 192.168.x.x range. I guess I could go around disconnecting
things and see where it's coming from. other than some PCs, there is a
networked printer, a LaCie RAID-1 network storage box, and a Television,
which is allegedly turned off (but as we all know you don't turn them
off, really, at least some part is still "on"). last time I looked at
the TV config it was properly configured in 192.168.x.x, but perhaps
I should go downstairs and take another look.

... no, it's not the tv, I just unplugged its cat5 from the jack and
the issue didn't stop.

weird. 

hmm... just did traceroute 10.21.72.1 and it comes back as being a
system at my ISP. that doesn't seem right to me. they shouldn't be
broadcaasting such stuff, as far as I know, at least.

Any other thoughts?
> 
> 
> 
> 
> 
> 
> -- 
> john r pierce                            N 37, W 122
> santa cruz ca                         mid-left coast
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
-------------------------------------------------------------------------------
    Under no circumstances will I ever purchase anything offered to me as
    the result of an unsolicited e-mail message. Nor will I forward chain
    letters, petitions, mass mailings, or virus warnings to large numbers
    of others. This is my contribution to the survival of the online
    community.
 --Roger Ebert, December, 1996
----------------------------- The Boulder Pledge -----------------------------

More information about the CentOS mailing list