Re: DHCP or Probe?

• Previous message: Eric Peek: "Re: DHCP or Probe?"
• In reply to: Eric Peek: "Re: DHCP or Probe?"
• Next in thread: Clint Bodungen: "Re: DHCP or Probe?"
• Reply: Clint Bodungen: "Re: DHCP or Probe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Mar 2004 09:52:40 -0700 (MST)
To: incidents@securityfocus.com

I just wanted to respond as no one else has... perhaps it's just me and my
somewhat limited understanding of cable network architecture, but if this
is the cable modem renewing it's DHCP, it should not be sending the DHCP
requests to the public IP on this user's computer.

From what has been posted so far, it seems that this is a
misconfiguration, but it is an interesting one. Anyone else have ideas?

Cheerio
D

On Thu, 11 Mar 2004, Eric Peek wrote:

> Roadrunner assigns your cable modem a 10 dot address even though your host
> is assigned a public IP. No reason to waste public IP addresses. Your cable
> modem only needs to talk to Roadrunner's network so it does not need a
> routable address. This is more than likely your cable modem renewing its IP
> address from your local CMTS which is forwarding DHCP requests to its CNR
> server.
>
> How often is it happening? Is it constant or just ever few hours?
>
> Nothing to worry about though.
>
> Eric
>
> ----- Original Message -----
> From: "Clint Bodungen" <clint@secureconsulting.com>
> To: <incidents@securityfocus.com>
> Sent: Thursday, March 11, 2004 11:50 AM
> Subject: Re: DHCP or Probe?
>
>
> >
> > I'm getting the following traffic about every second to my cable modem
> (My
> > IP,
> > not a broadcast address. UDP packets looking for port 67... but from a
> "10
> > dot"
> > address. Is this the typical chatty Roadrunner DHCP probes or is it a
> worm
> > probe?
> > The reason I find this odd is because the source address here is from a
> "10
> > dot" class A.
> > I'm not on PTP... I have a public address... so this is either from a
> > spoofed address,
> > a misconfiguration by one of my cable modem neighbors, or worse... a
> > misconfiguration by RR.
> >
> > Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:33 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> > Wed, 2004-03-10 14:43:35 - Device Receive UDP Packet -
> > Source:10.50.192.1,67,WAN - [Drop] Destination: [My IP Address]
> >
> >
> >
> >
> >
> > --------------------------------------------------------------------------
> -
> > Free 30-day trial: firewall with virus/spam protection, URL filtering,
> VPN,
> > wireless security
> >
> > Protect your network against hackers, viruses, spam and other risks with
> Astaro
> > Security Linux, the comprehensive security solution that combines six
> > applications in one software solution for ease of use and lower total cost
> of
> > ownership.
> >
> > Download your free trial at
> > http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> > --------------------------------------------------------------------------
> --
> >
>
>
> ---------------------------------------------------------------------------
> Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other risks with Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and lower total cost of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

• Previous message: Eric Peek: "Re: DHCP or Probe?"
• In reply to: Eric Peek: "Re: DHCP or Probe?"
• Next in thread: Clint Bodungen: "Re: DHCP or Probe?"
• Reply: Clint Bodungen: "Re: DHCP or Probe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Front End/Back End communication ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ... (Focus-Microsoft) Re: Client End Firewalls ... I've done what I can to protect it ... I prefer a reasonable network setup over software ... speaking to someone off list about added layers of security. ... post-it on the door next to the monitor. ... (Security-Basics) RE: Client End Firewalls ... I've done what I can to protect it (mirrored the ... drive with software RAID) and have setup security precautions. ... I prefer a reasonable network setup over ... >> password on a post-it note) can't be jumping into Jane's network ... (Security-Basics) Re: Front End/Back End communication ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ... (Focus-Microsoft) RE: Entercept HIDS Question ... This is one of those it depends on your network and application ... Subject: Entercept HIDS Question ... Security Linux, the comprehensive security solution that combines six ... (Focus-IDS)