At 09:51 AM 1/29/03 -0600, Joey Officer wrote:
Unless your ISP actually uses that address range on your external interface, there should be no way to " 'answer' the request ". That's why the addresses are called "private" -- the standards call for them to be unroutable on the public Internet. But while they are often called "not real" colloquially, they in fact can be perfectly "real", in that they are used by actual machines on NAT'd LANs.I'm not sure if that topic is adequate, but here goes.I'm sick of my logs filling up with various IPs all trying to hit various ports. I know I can put the silent deny up and it won't fill up the log any more, but is there a more defensive approach that can be taken? Is there a way to trace what appear to be spoofed IP addresses. I've got about a million of the following entry in my logs Jan 29 11:23:47 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.51.192.1:67 255.255.255.255:68 L=350 S=0x00 I=25217 F=0x0000 T=255 (#8) I know the 10.x.x.x is for private use, so its obviously not a real IP. But is there a way to 'answer' the request in order to get more information from the offending computer to advise the admins and see if they can do something about it?
Since they involve source port 67 and broadcast traffic (at least your example does), it's a good guess that this traffic comes from other users of your ISP who do not have their routers (or, possbily, their LAN broadcast addresses) set properly, causing the incessant chatter of Windows PCs with file-sharing enabled to leak off the LAN. If this guess is right, then the source addresses are not spoofed; they are real machines on NAT'd LANs that have misconfigured routers. (Old saying: "Never attribute to malice that which can be adequately explained by incompetence.")
Of course, this comment only applies to the example log entry you chose; your general question about "various IPs all trying to hit various ports" is too vague to answer in the form posed. Some knowledge of the actual addresses and ports involved is required. (And there *is* another old saying: "Never attribute to incompetence that which can be adequately explained by malice.")
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
