RE: Odd entries in my Security Router logs

From: Julian Young (julian.young@nl.compuware.com)
Date: 12/11/02

  • Next message: Stephen J. Friedl: "Re: EBay Fraud Attempt" 
    From: Julian Young <julian.young@nl.compuware.com>
To: incidents@securityfocus.com
Date: 11 Dec 2002 09:53:54 +0100

    I think that drew schaffner was write when when he stated

    > These look like normal bootp requests hitting your router. Do
    > you happen to have actual pachet captures? Would there be any
    > reason for a device (cable modem, cable router, etc) on the outside
    > perimeter of your firewall to be requesting bootp service?

    To which the answer is yes.

    my guess is the when the fire wall was handeling the dhcp it we ere not
    picking these up. we were not login the dhcp traffic perhaps we should
    have done so.

    what through me was the router claiming a DOS. what i don't understand
    is why i should be picking up this traffic since the target is xxx.254
    i could understand it if it was .255

    I could attempt to capture the packed. but since it's being blocked, it
    has to compete with other priorities i am afraid.

    many thanks on and all

    Julian

    On Tue, 2002-12-10 at 18:17, Andrews, Jonathan (US - Hermitage) wrote:
    > 192.168.0.0/16 is a privately addressed netblock. These packets could not
    > be routed over the Internet. Do you NAT at your edge router and were these
    > traces obtained from the "internal" interface of your router?
    >
    > If so, this would have to be something on your internal network broadcasting
    > this traffic.
    >
    >
    >
    >
    > Jonathan Andrews, CISSP CCSA
    > Sr. Information Security Analyst
    > Network Security Group
    > Deloitte & Touche
    >
    >
    >
    >
    >
    >
    >
    > -----Original Message-----
    > From: Julian Young [mailto:julian.young@nl.compuware.com]
    > Sent: Monday, December 09, 2002 3:38 AM
    > To: incidents@securityfocus.com
    > Subject: Odd entries in my Security Router logs
    >
    >
    > I keep seeing these entry in my external routers log files. Does any
    > one recognize theme and know what type of attack they are. ok is
    > obviously something to do with DHCP. but i recently had a firewall
    > compromised and i still don't know how. since that wall had dhcp open
    > I wounder if this could have been the trick.
    >
    > I has left the ip number as they are since none of them belong to me or
    > in any range i use !
    >
    > # Time Packet Information
    > Reason Action
    > 1|Dec 8 02 |From:192.168.7.249 To:192.168.255.254 |match
    > |block
    > | 09:37:12 |UDP src port:00068 dest port:00067 |service deny
    > |
    > 2|Dec 8 02 |From:192.168.8.250 To:192.168.255.254 |match
    > |block
    > | 09:37:12 |UDP src port:00068 dest port:00067 |service deny
    > |
    > 3|Dec 8 02 |From:192.168.7.249 To:192.168.255.254 |match
    > |block
    > | 15:45:32 |UDP src port:00068 dest port:00067 |service deny
    > |
    >
    >
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    > - This message (including any attachments) contains confidential information
    > intended for a specific individual and purpose, and is protected by law. -
    > If you are not the intended recipient, you should delete this message and
    > are hereby notified that any disclosure, copying, or distribution of this
    > message, or the taking of any action based on it, is strictly prohibited.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • RE: Odd entries in my Security Router logs
      ... be routed over the Internet. ... Do you NAT at your edge router and were these ... This list is provided by the SecurityFocus ARIS analyzer service. ... If you are not the intended recipient, you should delete this message and ...
      (Incidents)
    • new SNMP vuln?
      ... > router that disables the router. ... Send FREE Valentine eCards with Yahoo! ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Networking Question - VLANs on SBS 2003 Premium SP1
      ... DHCP running on the router. ... Set the DHCP on the router, to make a exclusion of IP range. ... you can set the SBS use fix IP by run the CEICW. ... all gust wireless clients will get IP address from DHCP on the ...
      (microsoft.public.windows.server.sbs)
    • help
      ... Network, routers, DHCP and PXE ... wget vs fetch ... It's a Thomson SpeedTouch 585 router. ...
      (freebsd-questions)
    • Re: How do I configure SBS 2003 as a DHCP server?
      ... To disable the private "LAN" side DHCP service (not the DHCP service on the ... of the PPPoE adapter and enable your Speedstream as a DSL modem and router. ... For the Vista computer to interact with SBS, ... Windows Small Business Server 2003: ...
      (microsoft.public.windows.server.sbs)
    • Quantcast