LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables spoofed source address logs MYSTERY (http://www.linuxquestions.org/questions/linux-security-4/iptables-spoofed-source-address-logs-mystery-827762/)

itsecx@gmail.com 08-22-2010 05:33 AM

iptables spoofed source address logs MYSTERY
 
ENV: F13, iptables-1.4.7-2.fc13.i686

I have custom chain defined for logging. I get the following entry in my LOGSPOOFED chain every 3-5 seconds:
--------
Aug 22 05:17:20 securebot kernel: iptables.SPOOFED: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:32:e1:42:08:00 SRC=10.186.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57982 PROTO=UDP SPT=67 DPT=68 LEN=308
--------

While I understand that FF:FF:FF MAC prefix is not a true device MAC address (ie: FF:FF:FF is broadcast) and neither is the source IP, my question what/where is the source of this entry. In other words, because I see this entry consistently day and night 24x7 every 3-5 seconds, I don't think it's a person/hacker trying to get in my network. Instead I think it's some kind of local network/broadcast that is being done within my network. But then the question is why does the log entry show ETH0 (which is my public interface) as the entry point?

Perplexed & Confused.

Please help.

-itsecx

ProtoformX 08-22-2010 08:03 AM

Quote:

Originally Posted by itsecx@gmail.com (Post 4073912)
ENV: F13, iptables-1.4.7-2.fc13.i686

I have custom chain defined for logging. I get the following entry in my LOGSPOOFED chain every 3-5 seconds:
--------
Aug 22 05:17:20 securebot kernel: iptables.SPOOFED: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:32:e1:42:08:00 SRC=10.186.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57982 PROTO=UDP SPT=67 DPT=68 LEN=308
--------

While I understand that FF:FF:FF MAC prefix is not a true device MAC address (ie: FF:FF:FF is broadcast) and neither is the source IP, my question what/where is the source of this entry. In other words, because I see this entry consistently day and night 24x7 every 3-5 seconds, I don't think it's a person/hacker trying to get in my network. Instead I think it's some kind of local network/broadcast that is being done within my network. But then the question is why does the log entry show ETH0 (which is my public interface) as the entry point?

Perplexed & Confused.

Please help.

-itsecx

Download wireshark and log the layer 2 activity (MAC) as long as the traffic is within the router, the second packet you capture in wireshark will reviel what MAC is bordcasting it. (its in the first line of hex and is from 7 to 12 chars (the first 1 to 6 is your MAC))

itsecx@gmail.com 08-23-2010 11:52 AM

Thanks @ProtoformX.

I'll have to read up wireshark docs to get a more finely tuned command-line arguments for the test. For now, I did a quick wireshark capture on eth0 (public). Here's the info on that:

------------
0.213869 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.36? Tell 65.190.32.1
0.301565 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xbe30dd98

0.000000 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.191? Tell 65.190.32.1
0.318550 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x91601506
-------------

Don't know how to fully/intelligently read the above other than it seems like a DHCP ACK..But question still remains who/why/what/where -- HuDunIt!

-itsecx

orgcandman 08-23-2010 12:02 PM

Does your system get its public address via dhcp? That message is a dhcp offer message (most likely) and if you're on a network (like cable) where you get your address via dhcp, it's possible that this came in from the cable modem. Cable modem providers generally choose non-route able addresses on the internal link side. For instance, my cable modem uses a 192.168.x.y subnet internally. When my cable goes out, it provides my modem with a 192.168.x.y address (which also lets me communicate with the router and view the SNMP logs, etc). Just a theory though. You'll need to investigate your network when those packets arrive - which might mean letting wireshark run for a loooong time with a good capture filter.

itsecx@gmail.com 08-23-2010 12:10 PM

Here's a better sample of the capture:
---------
0.000000 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x4a0b0932
0.986152 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xd466f096
1.050872 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xd466f096
3.716274 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xdc5a124
5.739795 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xdc5a124
7.065753 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x275650
8.140605 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x275651
10.425477 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xc6b642c4
10.446224 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe0a3dfa0
10.671829 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xcdf3a6b7
11.513824 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xe0a3dfa1
12.932461 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe960cb0d
14.614849 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
22.865499 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x230d1176
23.613941 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
27.686350 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x883ba00
33.686745 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xb9244586
34.718883 Motorola_b2:c4:08 -> Broadcast ARP Who has 10.186.96.1? Tell 10.186.106.0
36.085554 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69
41.595495 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69
43.615194 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
56.626177 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
58.766165 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x4805a5de
65.613218 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
75.777199 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xc5611221
---------
So, it seems like there's a lot of DHCP related 'chatting/broadcasting' going on here with source IP to be 10.186.96.1.

My public interface (eth0) only runs DHCP client for dynamic IP from my ISP. Internal interface runs DHCP Server. The server only listens on the internal (eth1) network.

Question again what/where is this mysterious IP (10.186.96.1) originating from?

-itsecx

itsecx@gmail.com 08-23-2010 12:42 PM

Quote:

Originally Posted by orgcandman (Post 4075182)
Does your system get its public address via dhcp? That message is a dhcp offer message (most likely) and if you're on a network (like cable) where you get your address via dhcp, it's possible that this came in from the cable modem. Cable modem providers generally choose non-route able addresses on the internal link side. For instance, my cable modem uses a 192.168.x.y subnet internally. When my cable goes out, it provides my modem with a 192.168.x.y address (which also lets me communicate with the router and view the SNMP logs, etc). Just a theory though. You'll need to investigate your network when those packets arrive - which might mean letting wireshark run for a loooong time with a good capture filter.

Thanks for your input @orgcandman.

You've given me another aspect to investigate. However, here are my thoughts (thus far):
- DHCP Chat on public interface (eth0), so no internal network issue.
- Cable modem has a single (one) interface. Since my cable modem is
ONLINE && my Linux router does get a publicly addressable IP from my
ISP, I don't see how it is possible for the modem to simultaneously
do DHCP "talk" about two completely separate networks (valid public
IP and private IP)

-itsecx


All times are GMT -5. The time now is 10:20 AM.