Re: [SLUG] Question 2: Firewall Log

From: Greg Schmidt (slugmail@gschmidt.net)
Date: Thu Oct 31 2002 - 07:18:42 EST


On Thu, 31 Oct 2002, Larry Sanders wrote:

> I'm using a variation of Derek's IPTABLES firewall
> Here are some very typical entries from the log.
> Note the MAC address and SRC= ip address
>
> Oct 31 01:11:35 moshe kernel: DROP INPUT:IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:06:2a:c8:c4:54:08:00 SRC=10.99.64.1
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=6537 PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 31 01:12:04 moshe kernel: DROP INPUT:IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:06:2a:c8:c4:54:08:00 SRC=10.99.64.1
> DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=255 ID=6556 PROTO=UDP
> SPT=67 DPT=68 LEN=320
>
> Should I be reporting this to Earthlink?

Probably not, but you could try.

> Will they look at my traffic closer and see that I'm mascarading a network?

Unlikely. But when this gets moved to the archive and google indexes
it... :)

> Could it be Earthlink that is testing me every 5 to 20 seconds?

Highly unlikely.

> These create massive logs. What is happening?

I might be wrong about this, but I'll go out on a limb and say it looks to
me like the NIC at 10.99.64.1 is a DHCP server, or BootP/DHCP relay agent.

DHCP clients send requests to the server on port 67 and the servers reply
on port 68, thus the "SPT=67 DPT=68". The all F's destination MAC
address is normal. It's the layer 2 broadcast address like
255.255.255.255 is the layer 3 broadcast address. The initial DHCP
request from the client is always a broadcast since the NIC doesn't know
the address of the server yet. The first response from the server also
has to be a broadcast since the client NIC doesn't know it's address yet.
The next two packets in a typical DHCP exchange are unicast since both
sides know the other's address.

The source MAC address of 00:06:2A:C8:C4:54 is interesting because
00:06:2A is MAC address space assigned to Cisco. This contributes to my
suspicion that 10.99.64.1 is a DHCP server or a device relaying DHCP
requests to a server. I don't know what the 08:00 part is. Maybe
someone else can help with that.

I'm suspecting Earthlink uses the 10.X.Y.Z private address space
internally to manage their routers. They've got that sitting on your
network segment with that address so that they don't need to waste one of
the more precious Internet-legal addresses they need to hand to you,
and to offer it some bit of protection by making it not normally visible
to the whole 'Net.

Do these entries peak at certain times of the day? Do you see UPD port 67
and 68 broadcast traffic with no source IP address? Those would be the
initial requests from the client for a DHCP server. If it is really their
DHCP server, you'll see that traffic come across whenever a new network
connection is established by some machine in your broadcast domain or
network segment and it sends the DHCP request. Your firewall has to pick
up those packets and and deal with them because they are broadcasts, and
therefore, addressed to it (as well as everyone else that could see the
packet come across the wire).

You could probably change your firewall rules so that you don't log UDP
port 67 and 68 traffic if you're running low on log space.

It is also possible that I'm completely off my rocker here and your
network is under immediate and dire threat, but if so someone else on this
list should straighten me out soon.

Good luck,
Greg



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:18:39 EDT