Unusual packet traffic
Timothy M. Lyons
lyons at digitalvoodoo.org
Mon Jan 13 14:42:13 EST 2003
Bill,
If you are an AT&T customer then no worries - AT&T uses the 10 net for their
HFC network.
If you have a Surfboard Modem (others may work like this as well), try
browsing to http://192.168.100.1 which should bring you to the web interface
of the modem (you may have to temporarily remove the RFC-1918 FW rule). If
you get to the web interface, just click on "Addresses" which will show you
the internal address of the modem.
If you are really bored, do an snmpwalk of that address using "public" as
the community string.
Fun Fun!
--Tim
---
Timothy M. Lyons, CISSP
lyons at digitalvoodoo.org
-----Original Message-----
From: discuss-admin at blu.org [mailto:discuss-admin at blu.org] On Behalf Of Bill
Horne
Sent: Saturday, January 11, 2003 15:55
To: discuss at blu.org
Subject: Unusual packet traffic
Hi, thanks for reading this.
I just added a firewall rule that logs any attempt to spoof IP
addresses. The rule logs any incoming traffic from RFC1918 (i.e.,
"detached network") addresses.
I got a lot of packets like this in the log today. At first glance, it
looks like someone is trying to connect a device that's setup for
BOOTP, but the source port is 67, not 68. The only thing I can think
of is that it's the cable company advertising DHCP services for the
cable modems.
Opinions?
Jan 11 15:18:43 billhorne kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:b0:8e:f5:10:54:08:00 SRC=10.219.216.1
DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=255 ID=24721
PROTO=UDP SPT=67 DPT=68 LEN=340
Bill
_______________________________________________
Discuss mailing list
Discuss at blu.org
http://www.blu.org/mailman/listinfo/discuss
More information about the Discuss
mailing list