Re: [SLUG] Question 2: Firewall Log

From: Ian C. Blenke (icblenke@nks.net)
Date: Thu Oct 31 2002 - 09:21:17 EST


On Thursday 31 October 2002 07:18, Greg Schmidt wrote:
> On Thu, 31 Oct 2002, Larry Sanders wrote:
> > I'm using a variation of Derek's IPTABLES firewall
> > Here are some very typical entries from the log.
> > Note the MAC address and SRC= ip address
> >
> > Oct 31 01:11:35 moshe kernel: DROP INPUT:IN=eth1 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:00:06:2a:c8:c4:54:08:00 SRC=10.99.64.1
> > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=6537 PROTO=UDP
> > SPT=67 DPT=68 LEN=308
> > Oct 31 01:12:04 moshe kernel: DROP INPUT:IN=eth1 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:00:06:2a:c8:c4:54:08:00 SRC=10.99.64.1
> > DST=255.255.255.255 LEN=340 TOS=0x00 PREC=0x00 TTL=255 ID=6556 PROTO=UDP
> > SPT=67 DPT=68 LEN=320
> >
> > Should I be reporting this to Earthlink?
>
> Probably not, but you could try.

They don't do anything about it. It's the way they have it configured. It's
abysmal. I shouldn't be seeing the broadcast DHCP leases of all of my
neighbor's cablemodems, but I am.

>From your email, I've deduced that you are an "Earthlink Broadband" customer.
Earthlink Broadband service is just resold TimeWarner network access, just
like RoadRunner. The same is true for Internet Junction Broadband, and AOL
Broadband.

There are others as well, but I haven't seen them off of the MLK switch here
in Tampa.

> > Will they look at my traffic closer and see that I'm mascarading a
> > network?
>
> Unlikely. But when this gets moved to the archive and google indexes
> it... :)

Damn list archives ;)

> > Could it be Earthlink that is testing me every 5 to 20 seconds?
>
> Highly unlikely.

Improbable.

> > These create massive logs. What is happening?
>
> I might be wrong about this, but I'll go out on a limb and say it looks to
> me like the NIC at 10.99.64.1 is a DHCP server, or BootP/DHCP relay agent.

It's a relay agent. If you look inside the actual leases themselves, you'll
see the actual address of the DHCP server (docsis01.tampabay.rr.com
[65.32.1.67]).

> DHCP clients send requests to the server on port 67 and the servers reply
> on port 68, thus the "SPT=67 DPT=68". The all F's destination MAC
> address is normal. It's the layer 2 broadcast address like
> 255.255.255.255 is the layer 3 broadcast address. The initial DHCP
> request from the client is always a broadcast since the NIC doesn't know
> the address of the server yet. The first response from the server also
> has to be a broadcast since the client NIC doesn't know it's address yet.
> The next two packets in a typical DHCP exchange are unicast since both
> sides know the other's address.

The response from the server doesn't have to be broadcast, it knows the MAC of
the machine it is giving the lease back to. I would argue that this is Broken
As Designed, however - the RFCs define this as appropriate behavior.

> The source MAC address of 00:06:2A:C8:C4:54 is interesting because
> 00:06:2A is MAC address space assigned to Cisco. This contributes to my
> suspicion that 10.99.64.1 is a DHCP server or a device relaying DHCP
> requests to a server. I don't know what the 08:00 part is. Maybe
> someone else can help with that.

It is indeed a Cisco. You can give your PC a 10.99.64.x network address that
is unused on your cablemodem private segment and ping/scan that router to
your hearts content. Not that I recommend doing this, of course.

Broken? I think so. The ACLs in your DOCSIS config should be blocking this.
Period.

> I'm suspecting Earthlink uses the 10.X.Y.Z private address space
> internally to manage their routers. They've got that sitting on your
> network segment with that address so that they don't need to waste one of
> the more precious Internet-legal addresses they need to hand to you,
> and to offer it some bit of protection by making it not normally visible
> to the whole 'Net.

Earthlink Cablemodem service is just resold TimeWarner network access, just
like RoadRunner. The TimeWarner cablemodem network uses 10.x.x.x private
address space for the routers and DOCSIS network itself.

If you watch all DHCP traffic on your segment and look for DOCSIS config
filenames, you'll see names like:

        disabled.bin - Disabled
        isaoip1bw1.bin - AOL
        iselip1bw1.bin - Earthlink
        isijip1bw1.bin - Internet Junction
        isrcip11bw1.bin - RoadRunner Corporate account
        isrrip8bw1.bin - RoadRunner Residential account

>From the logs I have, there are approximately 30 different DOCSIS config
templates in use on my network segment leg.

> Do these entries peak at certain times of the day? Do you see UPD port 67
> and 68 broadcast traffic with no source IP address? Those would be the
> initial requests from the client for a DHCP server. If it is really their
> DHCP server, you'll see that traffic come across whenever a new network
> connection is established by some machine in your broadcast domain or
> network segment and it sends the DHCP request. Your firewall has to pick
> up those packets and and deal with them because they are broadcasts, and
> therefore, addressed to it (as well as everyone else that could see the
> packet come across the wire).
>
> You could probably change your firewall rules so that you don't log UDP
> port 67 and 68 traffic if you're running low on log space.

If you're using DOCSIS cablemodems on the TimeWarner network, I would
recommend it. I've been logging every DHCP lease for the past 6 months (to
track how many neighboring DOCSIS cablemodems are on the same segment as I
am). The current count is 4282 "neighbors" (unique MACs) that have received
DHCP DOCSIS leases over that period. Many are disabled at this point, but I
have packet dumps of ALL leases over this period.

> It is also possible that I'm completely off my rocker here and your
> network is under immediate and dire threat, but if so someone else on this
> list should straighten me out soon.

Nope, not off your rocker at all. Very correct in fact.

I'd like to know if AOL Broadband, Internet Junction Broadband, Earthlink
Broadband, or one of the other TimeWarner cablemodem resellers are
cheaper/better than RoadRunner Broadband.

The humorous bit here is that all of these providers use the SAME PHYSICAL
EQUIPMENT, every bit run by TimeWarner. What are these alternative providers
actually providing? Cheaper rates? Better support?

Anyone have one of these alternative providers?

-- 
- Ian C. Blenke <icblenke@nks.net>

(This message bound by the following: http://www.nks.net/email_disclaimer.html)



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:19:15 EDT