FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-17-2012, 02:01 AM
fred smith
 
Default OT: what are all these probes from my firewall log????

I'm getting a gazillion of these probes in my firewall logs. I don't
understand what's going on here,... These all look like bootp requests
from 10.21.72.1, to 255.255.255.255.

there's certainly no 10.x.x.x here on this network, and I don't get the
destination address... is it possible to send packets out onto the
internet addressed like that?

whois doesn't turn up anything on 10.21.72.1.

Anybody got suggestions on how I'd track this down?

Thanks!


Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:15:46 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34102 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:16:00 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34114 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:16:40 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34139 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:16:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34149 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:16:47 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34152 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:17:05 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34175 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:07 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34178 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34181 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34183 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:16 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34188 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:17:49 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34210 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34243 PROTO=UDP <1>SPT=67 DPT=68 LEN=391
Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34248 PROTO=UDP <1>SPT=67 DPT=68 LEN=391
Aug 16 21:18:31 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34253 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34255 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34257 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34259 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:18:41 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34271 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:50 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34280 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:11 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34293 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:12 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34295 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:42 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34306 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:19:51 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34315 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:20:53 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34359 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:21:04 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34361 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:21:25 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34385 PROTO=UDP <1>SPT=67 DPT=68 LEN=328
--
---- Fred Smith -- fredex@fcshome.stoneham.ma.us -----------------------------
"For him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy--to the only God our Savior
be glory, majesty, power and authority, through Jesus Christ our Lord, before
all ages, now and forevermore! Amen."
----------------------------- Jude 1:24,25 (niv) -----------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 03:27 AM
John R Pierce
 
Default OT: what are all these probes from my firewall log????

On 08/16/12 7:01 PM, fred smith wrote:
> I'm getting a gazillion of these probes in my firewall logs. I don't
> understand what's going on here,... These all look like bootp requests
> from 10.21.72.1, to 255.255.255.255.
>
> there's certainly no 10.x.x.x here on this network, and I don't get the
> destination address... is it possible to send packets out onto the
> internet addressed like that?
>
> whois doesn't turn up anything on 10.21.72.1.
>
> Anybody got suggestions on how I'd track this down?
>
> Thanks!
>
>
> Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> ....

that looks like DHCP requests. maybe there's some piece of network gear
on your gateway LAN thats trying to get autoconfigured?.






--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 04:06 AM
fred smith
 
Default OT: what are all these probes from my firewall log????

On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
> On 08/16/12 7:01 PM, fred smith wrote:
> > I'm getting a gazillion of these probes in my firewall logs. I don't
> > understand what's going on here,... These all look like bootp requests
> > from 10.21.72.1, to 255.255.255.255.
> >
> > there's certainly no 10.x.x.x here on this network, and I don't get the
> > destination address... is it possible to send packets out onto the
> > internet addressed like that?
> >
> > whois doesn't turn up anything on 10.21.72.1.
> >
> > Anybody got suggestions on how I'd track this down?
> >
> > Thanks!
> >
> >
> > Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> > ....
>
> that looks like DHCP requests. maybe there's some piece of network gear
> on your gateway LAN thats trying to get autoconfigured?.

John, I'm willing to believe that, but I don't know where it would be
coming from... not to mention that 10.x.x.x isn't valid on my LAN,
it's in the 192.168.x.x range. I guess I could go around disconnecting
things and see where it's coming from. other than some PCs, there is a
networked printer, a LaCie RAID-1 network storage box, and a Television,
which is allegedly turned off (but as we all know you don't turn them
off, really, at least some part is still "on"). last time I looked at
the TV config it was properly configured in 192.168.x.x, but perhaps
I should go downstairs and take another look.

... no, it's not the tv, I just unplugged its cat5 from the jack and
the issue didn't stop.

weird.

hmm... just did traceroute 10.21.72.1 and it comes back as being a
system at my ISP. that doesn't seem right to me. they shouldn't be
broadcaasting such stuff, as far as I know, at least.

Any other thoughts?
>
>
>
>
>
>
> --
> john r pierce N 37, W 122
> santa cruz ca mid-left coast
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

--
-------------------------------------------------------------------------------
Under no circumstances will I ever purchase anything offered to me as
the result of an unsolicited e-mail message. Nor will I forward chain
letters, petitions, mass mailings, or virus warnings to large numbers
of others. This is my contribution to the survival of the online
community.
--Roger Ebert, December, 1996
----------------------------- The Boulder Pledge -----------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 04:20 AM
John R Pierce
 
Default OT: what are all these probes from my firewall log????

On 08/16/12 9:06 PM, fred smith wrote:
> On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
>> On 08/16/12 7:01 PM, fred smith wrote:
>>> I'm getting a gazillion of these probes in my firewall logs. I don't
>>> understand what's going on here,... These all look like bootp requests
>>> from 10.21.72.1, to 255.255.255.255.
>>>
>>> there's certainly no 10.x.x.x here on this network, and I don't get the
>>> destination address... is it possible to send packets out onto the
>>> internet addressed like that?
>>>
>>> whois doesn't turn up anything on 10.21.72.1.
>>>
>>> Anybody got suggestions on how I'd track this down?
>>>
>>> Thanks!
>>>
>>>
>>> Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
>>> Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
>>> Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
>>> ....
>> that looks like DHCP requests. maybe there's some piece of network gear
>> on your gateway LAN thats trying to get autoconfigured?.
> John, I'm willing to believe that, but I don't know where it would be
> coming from... not to mention that 10.x.x.x isn't valid on my LAN,
> it's in the 192.168.x.x range. I guess I could go around disconnecting
> things and see where it's coming from. other than some PCs, there is a
> networked printer, a LaCie RAID-1 network storage box, and a Television,
> which is allegedly turned off (but as we all know you don't turn them
> off, really, at least some part is still "on"). last time I looked at
> the TV config it was properly configured in 192.168.x.x, but perhaps
> I should go downstairs and take another look.
>
> ... no, it's not the tv, I just unplugged its cat5 from the jack and
> the issue didn't stop.
>
> weird.
>
> hmm... just did traceroute 10.21.72.1 and it comes back as being a
> system at my ISP. that doesn't seem right to me. they shouldn't be
> broadcaasting such stuff, as far as I know, at least.
>
> Any other thoughts?
>


the MAC address prefix on that DHCP thing is 00:23:EB which is
Cisco... and yes, ISP's frequently use private IP space for internal
gateway networks. they aren't routable on the public internet, they
don't have to be, they are just used for routes within the ISP's WAN.

this is on your eth0 side, I'm assuming thats the WAN side of your
firewall/gateway ? if so, then yes, I imagine its something at your
ISP, you might ask them what these are.






--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 04:24 AM
Bobby
 
Default OT: what are all these probes from my firewall log????

On 08/17/2012 12:20 AM, John R Pierce wrote:

> the MAC address prefix on that DHCP thing is 00:23:EB which is
> Cisco... and yes, ISP's frequently use private IP space for internal
> gateway networks. they aren't routable on the public internet, they
> don't have to be, they are just used for routes within the ISP's WAN.

Yup looks like the ISP is checking to see who's on.

--
Bobby
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 05:01 AM
fred smith
 
Default OT: what are all these probes from my firewall log????

On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
> On 08/16/12 9:06 PM, fred smith wrote:
> > On Thu, Aug 16, 2012 at 08:27:27PM -0700, John R Pierce wrote:
> >> On 08/16/12 7:01 PM, fred smith wrote:
> >>> I'm getting a gazillion of these probes in my firewall logs. I don't
> >>> understand what's going on here,... These all look like bootp requests
> >>> from 10.21.72.1, to 255.255.255.255.
> >>>
> >>> there's certainly no 10.x.x.x here on this network, and I don't get the
> >>> destination address... is it possible to send packets out onto the
> >>> internet addressed like that?
> >>>
> >>> whois doesn't turn up anything on 10.21.72.1.
> >>>
> >>> Anybody got suggestions on how I'd track this down?
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308
> >>> ....
> >> that looks like DHCP requests. maybe there's some piece of network gear
> >> on your gateway LAN thats trying to get autoconfigured?.
> > John, I'm willing to believe that, but I don't know where it would be
> > coming from... not to mention that 10.x.x.x isn't valid on my LAN,
> > it's in the 192.168.x.x range. I guess I could go around disconnecting
> > things and see where it's coming from. other than some PCs, there is a
> > networked printer, a LaCie RAID-1 network storage box, and a Television,
> > which is allegedly turned off (but as we all know you don't turn them
> > off, really, at least some part is still "on"). last time I looked at
> > the TV config it was properly configured in 192.168.x.x, but perhaps
> > I should go downstairs and take another look.
> >
> > ... no, it's not the tv, I just unplugged its cat5 from the jack and
> > the issue didn't stop.
> >
> > weird.
> >
> > hmm... just did traceroute 10.21.72.1 and it comes back as being a
> > system at my ISP. that doesn't seem right to me. they shouldn't be
> > broadcaasting such stuff, as far as I know, at least.
> >
> > Any other thoughts?
> >
>
>
> the MAC address prefix on that DHCP thing is 00:23:EB which is
> Cisco... and yes, ISP's frequently use private IP space for internal
> gateway networks. they aren't routable on the public internet, they
> don't have to be, they are just used for routes within the ISP's WAN.
>
> this is on your eth0 side, I'm assuming thats the WAN side of your
> firewall/gateway ? if so, then yes, I imagine its something at your
> ISP, you might ask them what these are.

Yup, that's the WAN side of the router. I'll go yell at them, probably
tomorrow.

thanks guys!

--
---- Fred Smith -- fredex@fcshome.stoneham.ma.us -----------------------------
"And he will be called Wonderful Counselor, Mighty God, Everlasting Father,
Prince of Peace. Of the increase of his government there will be no end. He
will reign on David's throne and over his kingdom, establishing and upholding
it with justice and righteousness from that time on and forever."
------------------------------- Isaiah 9:7 (niv) ------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 06:05 AM
Keith Roberts
 
Default OT: what are all these probes from my firewall log????

On Fri, 17 Aug 2012, fred smith wrote:
*snip*

> hmm... just did traceroute 10.21.72.1 and it comes back as being a
> system at my ISP. that doesn't seem right to me. they shouldn't be
> broadcaasting such stuff, as far as I know, at least.
>
> Any other thoughts?

Any network problems, I run Wireshark network analyser in
GUI mode. It helps identify issues on the network with
meaningfull error and warning messages.

HTH

Keith

-----------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-17-2012, 06:09 AM
John R Pierce
 
Default OT: what are all these probes from my firewall log????

On 08/16/12 9:24 PM, Bobby wrote:
> On 08/17/2012 12:20 AM, John R Pierce wrote:
>
>> >the MAC address prefix on that DHCP thing is 00:23:EB which is
>> >Cisco... and yes, ISP's frequently use private IP space for internal
>> >gateway networks. they aren't routable on the public internet, they
>> >don't have to be, they are just used for routes within the ISP's WAN.
> Yup looks like the ISP is checking to see who's on.


you might just try something like...

tcpdump -i eth0 -w udpdump.txt udp port 67 or udp port 68

and let that run for a few minutes, long enough to capture a few of
these packets, then ctl-C it, and take that dumpfile and load it into
wireshark (can do that on any system wireshark runs on) and see what it
decodes the dhcp packets to actually be.

for instance, this is a DHCP 'renew' request (from the LAN side of my
gateway)...

# tcpdump -i eth1 -vvv -n udp port 67 or udp port 68
tcpdump: listening on eth1
21:46:46.009596 192.168.0.136.bootpc > 192.168.0.1.bootps:
xid:0x9fb275f6 C:192.168.0.136 [|bootp] (ttl 128, id 31970, len 339)
21:46:46.013544 192.168.0.1.bootps > 192.168.0.136.bootpc:
xid:0x9fb275f6 C:192.168.0.136 Y:192.168.0.136 S:192.168.0.1 [|bootp]
(ttl 64, id 16362, len 328)

2 packets received by filter
0 packets dropped by kernel


wireshark will do a much better job explaining the packets than tcpdump
does.



--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-18-2012, 03:18 AM
Devin Reade
 
Default OT: what are all these probes from my firewall log????

fred smith <fredex@fcshome.stoneham.ma.us> wrote:
> On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:

>> this is on your eth0 side, I'm assuming thats the WAN side of your
>> firewall/gateway ? if so, then yes, I imagine its something at your
>> ISP, you might ask them what these are.
>
> Yup, that's the WAN side of the router. I'll go yell at them, probably
> tomorrow.

I wouldn't bother.

Depending on the demarc equipment used by your ISP and how they have
their network configured, you can wind up seeing this kind of crap
and there's bugger-all that you can do about it

For example, with a cable modem, your assigned upstream segment
might be network-A, but other people in your neighborhood might be
on network-B, both serviced by the same RF carrier. You shouldn't
see unicast traffic for your neighbors, but you could very well see
broadcast (and dhcp is the most likely culprit). I know of a
particular case where the ISP will assign statics out of one pool,
dynamic IPs out of the other pool, a single modem will service
machines out of both pools, and therefore you also see broadcast
out of both pools.

This isn't specific to cable. With both cable and DSL providers
I've seen both the only-see-your-own-traffic situation and the
see-your-neighbors-broadcast situation. It all depends on the
equipment and the configuration. And when I mean configuration,
I'm talking about for everyone in your node, if not for your
whole city. So it's unlikely that your ISP will change it just
for you.

But if you still want to call them, fill your boots ...

Devin
--
He is a prime candidate for natural deselection.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-18-2012, 05:08 AM
fred smith
 
Default OT: what are all these probes from my firewall log????

On Fri, Aug 17, 2012 at 09:18:01PM -0600, Devin Reade wrote:
> fred smith <fredex@fcshome.stoneham.ma.us> wrote:
> > On Thu, Aug 16, 2012 at 09:20:52PM -0700, John R Pierce wrote:
>
> >> this is on your eth0 side, I'm assuming thats the WAN side of your
> >> firewall/gateway ? if so, then yes, I imagine its something at your
> >> ISP, you might ask them what these are.
> >
> > Yup, that's the WAN side of the router. I'll go yell at them, probably
> > tomorrow.
>
> I wouldn't bother.

thanks for the info. I didn't really expect to get any swift action,
I kinda figured "it is what it is, like it or lump it" would be their
response. but I still might drop them an email with some log excerpts
just to see how they respond. I'm retired, I have plenty of time!

>
> Depending on the demarc equipment used by your ISP and how they have
> their network configured, you can wind up seeing this kind of crap
> and there's bugger-all that you can do about it
>
> For example, with a cable modem, your assigned upstream segment
> might be network-A, but other people in your neighborhood might be
> on network-B, both serviced by the same RF carrier. You shouldn't
> see unicast traffic for your neighbors, but you could very well see
> broadcast (and dhcp is the most likely culprit). I know of a
> particular case where the ISP will assign statics out of one pool,
> dynamic IPs out of the other pool, a single modem will service
> machines out of both pools, and therefore you also see broadcast
> out of both pools.
>
> This isn't specific to cable. With both cable and DSL providers
> I've seen both the only-see-your-own-traffic situation and the
> see-your-neighbors-broadcast situation. It all depends on the
> equipment and the configuration. And when I mean configuration,
> I'm talking about for everyone in your node, if not for your
> whole city. So it's unlikely that your ISP will change it just
> for you.
>
> But if you still want to call them, fill your boots ...
>
> Devin
> --
> He is a prime candidate for natural deselection.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

--
---- Fred Smith -- fredex@fcshome.stoneham.ma.us -----------------------------
"For him who is able to keep you from falling and to present you before his
glorious presence without fault and with great joy--to the only God our Savior
be glory, majesty, power and authority, through Jesus Christ our Lord, before
all ages, now and forevermore! Amen."
----------------------------- Jude 1:24,25 (niv) -----------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org