Re: Suspicious Activity

From: Michael Grice (grice@binc.net)
Date: 08/19/01


Date: Sun, 19 Aug 2001 16:59:56 -0500
From: Michael Grice <grice@binc.net>
To: security-basics@securityfocus.com
Subject: Re: Suspicious Activity
Message-ID: <20010819165956.A12977@ctg-mail.binc.net>


* freehold@erols.com <freehold@erols.com> [010819 11:05] wrote:
> I think TFTP passes information from services for some devices at
> boot-time - like routers & their config files. It might even be the
> default install to leave it open. But it doesn't have authentication &
> I don't think there's any reason to use it outside of your LAN. You
> probably want to restrict access to it closely even inside.

I suspect that a router somewhere has the original poster's server's IP
address configured as a helper address. When a Cisco router is configured
with a helper address, by default it forwards broadcasts to a number of
UDP ports to the helper address. The ports forwarded include 53 (name
service) and 69 (TFTP), among others.

The point of the helper address is to specifically forward those packets
to where they are needed, so that the entire subnet does not receive
these broadcasts. Without a helper address, the router would just
discard these broadcasts.

If this is the case, you can turn off UDP forwarding for certain ports
with (for example) "no ip forward-protocol udp 69" in configuration
mode on the router. See Cisco's documentation for more details. If
you're getting the packets because of a helper address, it's probably
harmless.

Like Missy says, if you have TFTP running in your LAN, you don't want
anybody to have access to it. It's common to use TFTP on a server to
collect router configs, for example.
--Michael