Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi
Re: strange broadcast packets
Hi Phillip On Dienstag, 10-Jun-03 at 19:59:40, Phillip Hofmeister wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: >> Hi >> >>> Hello, >>> >>> isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to >>> dhcp requests from clients? >> >> No lan here.. !! > > That IP address might be used by your cable modem service as an > internal management address to hand out IP addresses. Or it might even > be your bridge (cable modem). In either case. This is not something to > be worried about. In fact I made a special rule in my iptables so such > packets don't get logged. Cool, thanks a lot for your help!! So, can I happily block them? As it seems, unfortunately I have to keep udp port 68 stateful open, to renew the dhcp lease, no? -- All the best, and really thanks a lot for your answers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange broadcast packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: > Hi > > > Hello, > > > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > > dhcp requests from clients? > > No lan here.. !! That IP address might be used by your cable modem service as an internal management address to hand out IP addresses. Or it might even be your bridge (cable modem). In either case. This is not something to be worried about. In fact I made a special rule in my iptables so such packets don't get logged. Be well, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5iqFS3Jybf3L5MQRAvTTAJ9HjtzJ3VLuxePPG6Ph9ZOW9dYKgACfXpet jjtqPu0j7Se0dWS2gwScG10= =3kbY -END PGP SIGNATURE-
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi
Re: strange broadcast packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Jun 2003 at 07:21:25PM +0100, Andreas W?st wrote: > Hi > > > Hello, > > > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > > dhcp requests from clients? > > No lan here.. !! That IP address might be used by your cable modem service as an internal management address to hand out IP addresses. Or it might even be your bridge (cable modem). In either case. This is not something to be worried about. In fact I made a special rule in my iptables so such packets don't get logged. Be well, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #34: Heavy gravity fluctuation move computer to floor rapidly -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5iqFS3Jybf3L5MQRAvTTAJ9HjtzJ3VLuxePPG6Ph9ZOW9dYKgACfXpet jjtqPu0j7Se0dWS2gwScG10= =3kbY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange broadcast packets
Hi > Hello, > > isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to > dhcp requests from clients? No lan here.. !! -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: strange broadcast packets
Hello, isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to dhcp requests from clients? Carpe Noctem, Kuba BIGHard Jakubik
re: strange broadcast packets
Hello, isn't perhaps 10.208.64.1 your dhcp server and aren't this reply to dhcp requests from clients? Carpe Noctem, Kuba BIGHard Jakubik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
strange broadcast packets
Hi Since I started to do some excessive logging a few days ago, I noticed some strange broadcasted packets: ... Jun 9 16:06:10 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26012 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:13 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26015 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:19 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26033 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:23 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26060 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26072 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26075 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:30 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26078 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26081 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26093 PROTO=UDP SPT=67 DPT=68 LEN=313 ... 10.208.64.1 seems to be spoofed anyway.. These packets are received regularly. Something to worry about? Is dhclient vulnerable to this attack? Hope somone can give some insight on this. :) -- Best wishes, Andi
strange broadcast packets
Hi Since I started to do some excessive logging a few days ago, I noticed some strange broadcasted packets: ... Jun 9 16:06:10 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26012 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:13 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=368 TOS=0x00 PREC=0x00 TTL=255 ID=26015 PROTO=UDP SPT=67 DPT=68 LEN=348 Jun 9 16:06:19 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26033 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:23 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26060 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26072 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:28 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=26075 PROTO=UDP SPT=67 DPT=68 LEN=308 Jun 9 16:06:30 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26078 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26081 PROTO=UDP SPT=67 DPT=68 LEN=313 Jun 9 16:06:31 *** kernel: IN=eth0 OUT= MAC=*** SRC=10.208.64.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=26093 PROTO=UDP SPT=67 DPT=68 LEN=313 ... 10.208.64.1 seems to be spoofed anyway.. These packets are received regularly. Something to worry about? Is dhclient vulnerable to this attack? Hope somone can give some insight on this. :) -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]