LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-27-2003, 05:03 AM   #1
detest
LQ Newbie
 
Registered: Apr 2003
Posts: 3

Rep: Reputation: 0
Spoofed ips?? Attacked??


I'm running a firewall and lately I'm seeing hundreds of dropped packets being logged in my /var/log/messages file. Can anyone help me figure what these packets are?

The server ip is not 192.168.x.x. There is no local network and is connected directly to the net. Are these packets spoofed and am I being attacked?


Apr 27 01:44:21 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.203 DST=255.255.255.255 LEN=232 TOS=0x00 PREC=0x00 TTL=128 ID=53117 PROTO=UDP SPT=138 DPT=138 LEN=212
Apr 27 01:46:45 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=241 TOS=0x00 PREC=0x00 TTL=128 ID=14796 PROTO=UDP SPT=138 DPT=138 LEN=221
Apr 27 01:48:58 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.200 DST=255.255.255.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=16691 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 27 01:49:17 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.203 DST=255.255.255.255 LEN=232 TOS=0x00 PREC=0x00 TTL=128 ID=54809 PROTO=UDP SPT=138 DPT=138 LEN=212
Apr 27 01:58:48 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=241 TOS=0x00 PREC=0x00 TTL=128 ID=32439 PROTO=UDP SPT=138 DPT=138 LEN=221
Apr 27 01:59:53 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=33914 PROTO=UDP SPT=138 DPT=138 LEN=182
Apr 27 01:59:57 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=34026 PROTO=UDP SPT=138 DPT=138 LEN=182
Apr 27 02:00:01 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=34147 PROTO=UDP SPT=138 DPT=138 LEN=182
Apr 27 02:10:49 hostname kernel: UDP drop IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:9f:20:98:1b:08:00 SRC=192.168.2.201 DST=255.255.255.255 LEN=241 TOS=0x00 PREC=0x00 TTL=128 ID=50148 PROTO=UDP SPT=138 DPT=138 LEN=221
 
Old 04-27-2003, 10:10 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
SRC=192.168.2.201: "non-routable" address: for usage in private networks (IANA or http://www.cymru.com/Documents/bogon-dd.html)
DST=255.255.255.255: broadcast address (similar to the 224.0.0.0/8 for IGMP).

I'm guesstimating, based on SRC + DST, any slightly sane and "default" firewall script would drop these packets.
 
Old 04-27-2003, 11:12 AM   #3
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
Is eth0 internal interface? If yes, It may be a wrongly configured machine (but there are 3 different IPs. If it's your Net connection, you can't do much about it, they need to be dropped.
 
Old 04-27-2003, 05:35 PM   #4
detest
LQ Newbie
 
Registered: Apr 2003
Posts: 3

Original Poster
Rep: Reputation: 0
I know the 192.168.x.x are private ip addresses and I'm glad the firewall is dropping them. Whats boggling me is why are there packets originating from 192.168.x.x when my ip address is not even in the 192.168.x.x range. The server has been up for weeks and this started only a few days ago.

The network settings haven't been modified. It is whatever the webhost set it at. I added ssh tunneling for mysql a few days ago. Perhaps that is generating all the noise?

Last edited by detest; 04-27-2003 at 05:40 PM.
 
Old 04-28-2003, 08:37 AM   #5
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Originally posted by Mara
Is eth0 internal interface? If yes, It may be a wrongly configured machine (but there are 3 different IPs. If it's your Net connection, you can't do much about it, they need to be dropped.
NAT issue like Mara pointed out!
 
Old 04-28-2003, 02:32 PM   #6
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
If the problem is in your local network, you will be able to find out the machine, because you've got its MAC - 00:c0:9f:20:98:1b.
 
Old 04-30-2003, 12:51 AM   #7
detest
LQ Newbie
 
Registered: Apr 2003
Posts: 3

Original Poster
Rep: Reputation: 0
Am I correct to assume that someone at my webhost configured a server incorrectly? Nothing I can do but to report the MAC address to them?
 
Old 05-03-2003, 08:45 AM   #8
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
I don't know what's eth0 conected to, but that's source of the problem. It may be not a server, but a workstation, but it's really hard to say.
 
Old 06-10-2003, 03:04 PM   #9
Spotnik
LQ Newbie
 
Registered: May 2003
Posts: 23

Rep: Reputation: 15
I've been logging in similar messages--thousands of them in fact--since implemening the stronger ruleset from the IP_Masq HOWTO.
Having just had my previous machine hacked to shreds (over a ppp connection no less) I am especially paranoid now of ANY messages logging in strange IPs. Here's my sample output:

Jun 10 08:01:53 spotnik kernel: IN=eth1 OUT= MAC= SRC=12.221.xx.xx
DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=631 DPT=631 LEN=141
Jun 10 08:02:07 spotnik kernel: IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6a:bc:54:08:00 SRC=10.8.16.1
DST=255.255.255.255 LEN=369 TOS=0x00 PREC=0x00 TTL=255
ID=7374 PROTO=UDP SPT=67 DPT=68 LEN=349
Jun 10 08:02:08 spotnik kernel: IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0a:42:6a:bc:54:08:00 SRC=10.8.16.1
DST=255.255.255.255 LEN=363 TOS=0x00 PREC=0x00 TTL=255
ID=7377 PROTO=UDP SPT=67 DPT=68 LEN=343

"Eth1" is my external device; the 12.221.xx.xx number is the number assigned by my cable company. I have no idea where this 10.8.16.1 is coming from.

What gets me is the weird MAC addresses--they have nothing to do with any of my network devices (internal, external or cable modem)

I too would like to know whether this is evidence of a spoof, or if not, how can I redirect these logs so that syslogd isn't having to create a new messages file every 24 hours.
 
Old 06-11-2003, 03:04 PM   #10
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
So it looks like a spoof... Maybe stop logging them?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stopping spoofed emails Homer Glemkin Linux - Security 2 12-02-2005 08:35 AM
Tracing Spoofed IP Address socceroos Linux - Security 9 08-08-2005 01:45 PM
Idea on spoofed packets? SiLiCoN Linux - Security 1 05-02-2005 06:30 AM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 10:06 AM
spoofed packeting exigent Linux - Security 3 11-24-2002 03:57 PM


All times are GMT -5. The time now is 05:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration