Good day Anyone know why my network is getting probed? That is, the .0 address of a Class-C range. It doesn''t seem to be part of a wider probe. My old firewall code apparently didn''t log this kind of behavior, and I have never seen any references to it. Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP SPT=32532 DPT=33443 LEN=18 tia, David Mitchell
David Mitchell wrote:> Good day > > Anyone know why my network is getting probed? That is, the .0 address of > a Class-C range. It doesn''t seem to be part of a wider probe. My old > firewall code apparently didn''t log this kind of behavior, and I have > never seen any references to it. > > Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 > DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP > SPT=32532 DPT=33443 LEN=18 >You can suppress these messages by including the .0 address as a broadcast address for eth0. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon Sep 09/30/02, 2002 at 06:04:30PM -0700, David Mitchell wrote:> Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 > DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP > SPT=32532 DPT=33443 LEN=18This looks simply like a nitwit trying to traceroute the .0 address to me. :) I''d drop it in the nitbucket -- Tom''s suggestion to treat it as a broadcast makes sense to me. -- Greg White
> Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 > DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP > SPT=32532 DPT=33443 LEN=18Look at the TTL. This isn''t a legit OS.>This looks simply like a nitwit trying to traceroute >the .0 address to >me. :)>I''d drop it in the nitbucket -- Tom''s suggestion to >treat it as a >broadcast makes sense to me.I wouldn''t dismiss this so quickly. You may want to dig deeper to see whats going on. At least sniff the wire, see whats in the payload. I''m just a little paranoid though. . . Jeff
David Mitchell wrote:> Thanks, Tom > > It''s useful to know how to supress them, but I''m curious about what''s > the sender is trying to do. Any ideas? >See Greg''s response. Never attribute to malice that which can be explained by stupidity. -tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon Sep 09/30/02, 2002 at 07:53:26PM -0600, Jeff Falgout wrote:> Greg White wrote: > > Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 > > DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP > > SPT=32532 DPT=33443 LEN=18 > > Look at the TTL. This isn''t a legit OS. > > >This looks simply like a nitwit trying to traceroute >the .0 address to > >me. :)I stand by my guess -- the TTL + the UDP ports is what made me think of traceroute.> >I''d drop it in the nitbucket -- Tom''s suggestion to >treat it as a > >broadcast makes sense to me.s/nitbucket/bitbucket/g ;)> I wouldn''t dismiss this so quickly. You may want to dig deeper to see > whats going on. At least sniff the wire, see whats in the payload.1. It fits the traceroute profile perfectly. 2. It''s being blocked anyway. >/dev/null is the only place I would put it. -- Greg White
Greg White wrote:> On Mon Sep 09/30/02, 2002 at 07:53:26PM -0600, Jeff Falgout wrote: > >>Greg White wrote: >> >>>Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= >>>MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 >>>DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP >>>SPT=32532 DPT=33443 LEN=18 >> >>Look at the TTL. This isn''t a legit OS. >> >> >>>This looks simply like a nitwit trying to traceroute >the .0 address to >>>me. :) >> > > I stand by my guess -- the TTL + the UDP ports is what made me think of > traceroute. >Especially given the -f flag for traceroute....> >>>I''d drop it in the nitbucket -- Tom''s suggestion to >treat it as a >>>broadcast makes sense to me. >> > > s/nitbucket/bitbucket/g ;) > > >>I wouldn''t dismiss this so quickly. You may want to dig deeper to see >>whats going on. At least sniff the wire, see whats in the payload. > > > 1. It fits the traceroute profile perfectly. > 2. It''s being blocked anyway. > > >/dev/null is the only place I would put it. >I agree... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > Sep 30 16:57:32 fw kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:80:5f:88:49:8f:00:02:3b:02:01:18:08:00 SRC=216.52.254.69 > > DST=198.133.233.0 LEN=38 TOS=0x00 PREC=0x00 TTL=3 ID=0 DF PROTO=UDP > > SPT=32532 DPT=33443 LEN=18 > > Look at the TTL. This isn''t a legit OS. > > >This looks simply like a nitwit trying to traceroute >the .0 addressto> >me. :)>I stand by my guess -- the TTL + the UDP ports is what made me think of >traceroute.>1. It fits the traceroute profile perfectly. >2. It''s being blocked anyway.> >/dev/null is the only place I would put it.Yup -- your right. Paying too much to the game and not to what I''m reading.
Jeff Falgout wrote:> > Yup -- your right. Paying too much to the game and not to what I''m > reading. >Sure hope that you are a Baltimore fan then :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Jeff Falgout wrote: > >> >> Yup -- your right. Paying too much to the game and not to what I''m >> reading. >> > > Sure hope that you are a Baltimore fan then :-) >But given your email address, I''m guessing Bronco fan.... :-\ -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
>>> >>> Yup -- your right. Paying too much to the game and not to what I''m >>> reading. >>> >> >> Sure hope that you are a Baltimore fan then :-) >>>But given your email address, I''m guessing Bronco fan.... :-\Ugh — I''ll admit nothing after last night