LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-22-2010, 05:33 AM   #1
itsecx@gmail.com
LQ Newbie
 
Registered: Aug 2010
Posts: 19

Rep: Reputation: 0
iptables spoofed source address logs MYSTERY


ENV: F13, iptables-1.4.7-2.fc13.i686

I have custom chain defined for logging. I get the following entry in my LOGSPOOFED chain every 3-5 seconds:
--------
Aug 22 05:17:20 securebot kernel: iptables.SPOOFED: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:32:e1:42:08:00 SRC=10.186.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57982 PROTO=UDP SPT=67 DPT=68 LEN=308
--------

While I understand that FF:FF:FF MAC prefix is not a true device MAC address (ie: FF:FF:FF is broadcast) and neither is the source IP, my question what/where is the source of this entry. In other words, because I see this entry consistently day and night 24x7 every 3-5 seconds, I don't think it's a person/hacker trying to get in my network. Instead I think it's some kind of local network/broadcast that is being done within my network. But then the question is why does the log entry show ETH0 (which is my public interface) as the entry point?

Perplexed & Confused.

Please help.

-itsecx
 
Old 08-22-2010, 08:03 AM   #2
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Rep: Reputation: 34
Quote:
Originally Posted by itsecx@gmail.com View Post
ENV: F13, iptables-1.4.7-2.fc13.i686

I have custom chain defined for logging. I get the following entry in my LOGSPOOFED chain every 3-5 seconds:
--------
Aug 22 05:17:20 securebot kernel: iptables.SPOOFED: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:32:e1:42:08:00 SRC=10.186.96.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=57982 PROTO=UDP SPT=67 DPT=68 LEN=308
--------

While I understand that FF:FF:FF MAC prefix is not a true device MAC address (ie: FF:FF:FF is broadcast) and neither is the source IP, my question what/where is the source of this entry. In other words, because I see this entry consistently day and night 24x7 every 3-5 seconds, I don't think it's a person/hacker trying to get in my network. Instead I think it's some kind of local network/broadcast that is being done within my network. But then the question is why does the log entry show ETH0 (which is my public interface) as the entry point?

Perplexed & Confused.

Please help.

-itsecx
Download wireshark and log the layer 2 activity (MAC) as long as the traffic is within the router, the second packet you capture in wireshark will reviel what MAC is bordcasting it. (its in the first line of hex and is from 7 to 12 chars (the first 1 to 6 is your MAC))
 
Old 08-23-2010, 11:52 AM   #3
itsecx@gmail.com
LQ Newbie
 
Registered: Aug 2010
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks @ProtoformX.

I'll have to read up wireshark docs to get a more finely tuned command-line arguments for the test. For now, I did a quick wireshark capture on eth0 (public). Here's the info on that:

------------
0.213869 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.36? Tell 65.190.32.1
0.301565 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xbe30dd98

0.000000 Cadant_32:e1:42 -> Broadcast ARP Who has 65.190.41.191? Tell 65.190.32.1
0.318550 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x91601506
-------------

Don't know how to fully/intelligently read the above other than it seems like a DHCP ACK..But question still remains who/why/what/where -- HuDunIt!

-itsecx
 
Old 08-23-2010, 12:02 PM   #4
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Does your system get its public address via dhcp? That message is a dhcp offer message (most likely) and if you're on a network (like cable) where you get your address via dhcp, it's possible that this came in from the cable modem. Cable modem providers generally choose non-route able addresses on the internal link side. For instance, my cable modem uses a 192.168.x.y subnet internally. When my cable goes out, it provides my modem with a 192.168.x.y address (which also lets me communicate with the router and view the SNMP logs, etc). Just a theory though. You'll need to investigate your network when those packets arrive - which might mean letting wireshark run for a loooong time with a good capture filter.
 
Old 08-23-2010, 12:10 PM   #5
itsecx@gmail.com
LQ Newbie
 
Registered: Aug 2010
Posts: 19

Original Poster
Rep: Reputation: 0
Here's a better sample of the capture:
---------
0.000000 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x4a0b0932
0.986152 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xd466f096
1.050872 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xd466f096
3.716274 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xdc5a124
5.739795 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xdc5a124
7.065753 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x275650
8.140605 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x275651
10.425477 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xc6b642c4
10.446224 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe0a3dfa0
10.671829 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xcdf3a6b7
11.513824 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xe0a3dfa1
12.932461 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xe960cb0d
14.614849 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
22.865499 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x230d1176
23.613941 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
27.686350 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x883ba00
33.686745 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0xb9244586
34.718883 Motorola_b2:c4:08 -> Broadcast ARP Who has 10.186.96.1? Tell 10.186.106.0
36.085554 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69
41.595495 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x87b68d69
43.615194 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
56.626177 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
58.766165 10.186.96.1 -> 255.255.255.255 DHCP DHCP ACK - Transaction ID 0x4805a5de
65.613218 174.97.215.192 -> 10.186.96.1 DHCP DHCP Request - Transaction ID 0xe0e15d78
75.777199 10.186.96.1 -> 255.255.255.255 DHCP DHCP Offer - Transaction ID 0xc5611221
---------
So, it seems like there's a lot of DHCP related 'chatting/broadcasting' going on here with source IP to be 10.186.96.1.

My public interface (eth0) only runs DHCP client for dynamic IP from my ISP. Internal interface runs DHCP Server. The server only listens on the internal (eth1) network.

Question again what/where is this mysterious IP (10.186.96.1) originating from?

-itsecx
 
Old 08-23-2010, 12:42 PM   #6
itsecx@gmail.com
LQ Newbie
 
Registered: Aug 2010
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by orgcandman View Post
Does your system get its public address via dhcp? That message is a dhcp offer message (most likely) and if you're on a network (like cable) where you get your address via dhcp, it's possible that this came in from the cable modem. Cable modem providers generally choose non-route able addresses on the internal link side. For instance, my cable modem uses a 192.168.x.y subnet internally. When my cable goes out, it provides my modem with a 192.168.x.y address (which also lets me communicate with the router and view the SNMP logs, etc). Just a theory though. You'll need to investigate your network when those packets arrive - which might mean letting wireshark run for a loooong time with a good capture filter.
Thanks for your input @orgcandman.

You've given me another aspect to investigate. However, here are my thoughts (thus far):
- DHCP Chat on public interface (eth0), so no internal network issue.
- Cable modem has a single (one) interface. Since my cable modem is
ONLINE && my Linux router does get a publicly addressable IP from my
ISP, I don't see how it is possible for the modem to simultaneously
do DHCP "talk" about two completely separate networks (valid public
IP and private IP)

-itsecx
 
  


Reply

Tags
firewall, iptables, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables logs the same MAC address over and over... sickdude Linux - Security 7 05-22-2009 08:49 AM
Cannot send out packets with spoofed source address StarGhost Linux - Networking 2 09-14-2008 12:44 PM
iptables dnat working, but server logs local source IP instead of original source IP Nothsa Linux - Server 3 02-14-2008 06:34 PM
Spoofed MAC address = no internet BDiddy Linux - Networking 7 09-23-2005 09:03 PM
Tracing Spoofed IP Address socceroos Linux - Security 9 08-08-2005 02:45 PM


All times are GMT -5. The time now is 07:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration