[CentOS] OT: what are all these probes from my firewall log????

fred smith fredex at fcshome.stoneham.ma.us
Fri Aug 17 05:01:12 UTC 2012 

On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
> On 08/16/12 9:06 PM, fred smith wrote:
> > On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
> >> On 08/16/12 7:01 PM, fred smith wrote:
> >>> I'm getting a gazillion of these probes in my firewall logs. I don't
> >>> understand what's going on here,... These all look like bootp requests
> >>> from 10.21.72.1, to 255.255.255.255.
> >>>
> >>> there's certainly no 10.x.x.x here on this network, and I don't get the
> >>> destination address... is it possible to send packets out onto the
> >>> internet addressed like that?
> >>>
> >>> whois doesn't turn up anything on 10.21.72.1.
> >>>
> >>> Anybody got suggestions on how I'd track this down?
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> ....
> >> that looks like DHCP requests.  maybe there's some piece of network gear
> >> on your gateway LAN thats trying to get autoconfigured?.
> > John, I'm willing to believe that, but I don't know where it would be
> > coming from... not to mention that 10.x.x.x isn't valid on my LAN,
> > it's in the 192.168.x.x range. I guess I could go around disconnecting
> > things and see where it's coming from. other than some PCs, there is a
> > networked printer, a LaCie RAID-1 network storage box, and a Television,
> > which is allegedly turned off (but as we all know you don't turn them
> > off, really, at least some part is still "on"). last time I looked at
> > the TV config it was properly configured in 192.168.x.x, but perhaps
> > I should go downstairs and take another look.
> >
> > ... no, it's not the tv, I just unplugged its cat5 from the jack and
> > the issue didn't stop.
> >
> > weird.
> >
> > hmm... just did traceroute 10.21.72.1 and it comes back as being a
> > system at my ISP. that doesn't seem right to me. they shouldn't be
> > broadcaasting such stuff, as far as I know, at least.
> >
> > Any other thoughts?
> >
> 
> 
> the MAC address prefix on that DHCP thing is 00:23:EB which is 
> Cisco...   and yes, ISP's frequently use private IP space for internal 
> gateway networks.   they aren't routable on the public internet, they 
> don't have to be, they are just used for routes within the ISP's WAN.
> 
> this is on your eth0 side, I'm assuming thats the WAN side of your 
> firewall/gateway ?    if so, then yes, I imagine its something at your 
> ISP, you might ask them what these are.

Yup, that's the WAN side of the router. I'll go yell at them, probably
tomorrow.

thanks guys!

-- 
---- Fred Smith -- fredex at fcshome.stoneham.ma.us -----------------------------
  "And he will be called Wonderful Counselor, Mighty God, Everlasting Father,
  Prince of Peace. Of the increase of his government there will be no end. He 
 will reign on David's throne and over his kingdom, establishing and upholding
      it with justice and righteousness from that time on and forever."
------------------------------- Isaiah 9:7 (niv) ------------------------------

More information about the CentOS mailing list