fred smith
2012-Aug-17 02:01 UTC
[CentOS] OT: what are all these probes from my firewall log????
I'm getting a gazillion of these probes in my firewall logs. I don't
understand what's going on here,... These all look like bootp requests
from 10.21.72.1, to 255.255.255.255.
there's certainly no 10.x.x.x here on this network, and I don't get the
destination address... is it possible to send packets out onto the
internet addressed like that?
whois doesn't turn up anything on 10.21.72.1.
Anybody got suggestions on how I'd track this down?
Thanks!
Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:15:46 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34102
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:16:00 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34114
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:16:40 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34139
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:16:45 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34149
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:16:47 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34152
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:17:05 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34175
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:07 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34178
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34181
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:08 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34183
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:17:16 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34188
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:17:49 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34210
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34243
PROTO=UDP <1>SPT=67 DPT=68 LEN=391
Aug 16 21:18:27 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=411 TOS=0x00 PREC=0x00 TTL=255 ID=34248
PROTO=UDP <1>SPT=67 DPT=68 LEN=391
Aug 16 21:18:31 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34253
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34255
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34257
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:18:33 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34259
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:18:41 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34271
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:18:50 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34280
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:11 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34293
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:12 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34295
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:19:42 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34306
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
Aug 16 21:19:51 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34315
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:20:53 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34359
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:21:04 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34361
PROTO=UDP <1>SPT=67 DPT=68 LEN=308
Aug 16 21:21:25 kernel: DROP <4>DROPIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1
DST=255.255.255.255 <1>LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=34385
PROTO=UDP <1>SPT=67 DPT=68 LEN=328
--
---- Fred Smith -- fredex at fcshome.stoneham.ma.us
-----------------------------
"For him who is able to keep you from falling and to present you before
his
glorious presence without fault and with great joy--to the only God our Savior
be glory, majesty, power and authority, through Jesus Christ our Lord, before
all ages, now and forevermore! Amen."
----------------------------- Jude 1:24,25 (niv) -----------------------------
John R Pierce
2012-Aug-17 03:27 UTC
[CentOS] OT: what are all these probes from my firewall log????
On 08/16/12 7:01 PM, fred smith wrote:> I'm getting a gazillion of these probes in my firewall logs. I don't > understand what's going on here,... These all look like bootp requests > from 10.21.72.1, to 255.255.255.255. > > there's certainly no 10.x.x.x here on this network, and I don't get the > destination address... is it possible to send packets out onto the > internet addressed like that? > > whois doesn't turn up anything on 10.21.72.1. > > Anybody got suggestions on how I'd track this down? > > Thanks! > > > Aug 16 21:13:59 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34040 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 > Aug 16 21:14:45 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34063 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 > Aug 16 21:15:08 kernel: DROP <4>DROPIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:eb:77:71:d9:08:00 <1>SRC=10.21.72.1 DST=255.255.255.255 <1>LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=34075 PROTO=UDP <1>SPT=67 DPT=68 LEN=308 > ....that looks like DHCP requests. maybe there's some piece of network gear on your gateway LAN thats trying to get autoconfigured?. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
Lamar Owen
2012-Aug-25 12:41 UTC
[CentOS] OT: what are all these probes from my firewall log????
On Saturday, August 18, 2012 11:01:26 AM fred smith wrote:> On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote: > > On 08/16/2012 11:06 PM, fred smith wrote: > > > hmm... just did traceroute 10.21.72.1 and it comes back as being a > > > system at my ISP. that doesn't seem right to me. they shouldn't be > > > broadcaasting such stuff, as far as I know, at least.> > Those are BOOTP responses from your ISP's DHCP server to clients requesting > > an IP address. They have to be broadcast because the client does not yet > > have an IP address.> that implies that there are a WHOLE LOT of systems served by this provider > that are doing dhcp requests, given the volume of these things I'm seeing. > they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, > mostly in the one every 1-5 seconds rate.Welcome to NAT444. Aka 'double-NAT' or 'carrier-grade NAT' where your connection's WAN port is further NATted at the ISP's border router, and the ISP itself is using RFC 1918 space and minimal publicly routable IP addresses. There was a special IPv4 address block allocated for this purpose relatively recently; discussion can be found in the NANOG mailing list archives.....