iptables spoofed source address logs MYSTERY
ENV: F13, iptables-1.4.7-2.fc13.i686
I have custom chain defined for logging. I get the following entry in my LOGSPOOFED chain every 3-5 seconds: -------- Aug 22 05:17:20 securebot kernel: iptables.SPOOFED: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:32:e1:42:08:00 SRC=10.186.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57982 PROTO=UDP SPT=67 DPT=68 LEN=308 -------- While I understand that FF:FF:FF MAC prefix is not a true device MAC address (ie: FF:FF:FF is broadcast) and neither is the source IP, my question what/where is the source of this entry. In other words, because I see this entry consistently day and night 24x7 every 3-5 seconds, I don't think it's a person/hacker trying to get in my network. Instead I think it's some kind of local network/broadcast that is being done within my network. But then the question is why does the log entry show ETH0 (which is my public interface) as the entry point? Perplexed & Confused. Please help. -itsecx |
Quote:
|
Thanks @ProtoformX.
I'll have to read up wireshark docs to get a more finely tuned command-line arguments for the test. For now, I did a quick wireshark capture on eth0 (public). Here's the info on that: ------------ 0.213869 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.36? Tell 65.190.32.1 0.301565 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xbe30dd98 0.000000 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.191? Tell 65.190.32.1 0.318550 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x91601506 ------------- Don't know how to fully/intelligently read the above other than it seems like a DHCP ACK..But question still remains who/why/what/where -- HuDunIt! -itsecx |
Does your system get its public address via dhcp? That message is a dhcp offer message (most likely) and if you're on a network (like cable) where you get your address via dhcp, it's possible that this came in from the cable modem. Cable modem providers generally choose non-route able addresses on the internal link side. For instance, my cable modem uses a 192.168.x.y subnet internally. When my cable goes out, it provides my modem with a 192.168.x.y address (which also lets me communicate with the router and view the SNMP logs, etc). Just a theory though. You'll need to investigate your network when those packets arrive - which might mean letting wireshark run for a loooong time with a good capture filter.
|
Here's a better sample of the capture:
--------- 0.000000 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x4a0b0932 0.986152 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xd466f096 1.050872 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xd466f096 3.716274 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xdc5a124 5.739795 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xdc5a124 7.065753 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x275650 8.140605 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x275651 10.425477 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xc6b642c4 10.446224 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe0a3dfa0 10.671829 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xcdf3a6b7 11.513824 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xe0a3dfa1 12.932461 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe960cb0d 14.614849 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78 22.865499 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x230d1176 23.613941 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78 27.686350 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x883ba00 33.686745 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xb9244586 34.718883 Motorola_b2:c4:08 -> Broadcast ARP Who has 10.186.96.1? Tell 10.186.106.0 36.085554 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69 41.595495 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69 43.615194 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78 56.626177 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78 58.766165 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x4805a5de 65.613218 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78 75.777199 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xc5611221 --------- So, it seems like there's a lot of DHCP related 'chatting/broadcasting' going on here with source IP to be 10.186.96.1. My public interface (eth0) only runs DHCP client for dynamic IP from my ISP. Internal interface runs DHCP Server. The server only listens on the internal (eth1) network. Question again what/where is this mysterious IP (10.186.96.1) originating from? -itsecx |
Quote:
You've given me another aspect to investigate. However, here are my thoughts (thus far): - DHCP Chat on public interface (eth0), so no internal network issue. - Cable modem has a single (one) interface. Since my cable modem is ONLINE && my Linux router does get a publicly addressable IP from my ISP, I don't see how it is possible for the modem to simultaneously do DHCP "talk" about two completely separate networks (valid public IP and private IP) -itsecx |
All times are GMT -5. The time now is 10:55 AM. |