[H-GEN] bombardment
Michael Anthon
michael at anthon.net
Sun Mar 31 06:11:13 EST 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
<snip>
T=255 (#61)
> > Mar 12 13:10:20 sugar kernel: Packet log: input DENY eth1 PROTO=17
> > 10.192.52.1:67 255.255.255.255:68 L=372 S=0x00 I=10875 F=0x0000 T=255
(#61)
>
> This is simply a DHCP client on your internal network asking
> the network for a DHCP address, and your server denying it.
<snip>
Or is it? From where I sit the port numbers seem to be a bit arse about,
here's a bit of a tcpdump captured when I requested a lease from my client
machine....
20:42:46.472449 10.1.1.10.68 > 10.1.1.5.67: xid:0x29667f26 flags:0x8000
C:10.1.1.10 [|bootp]
20:42:49.095143 0.0.0.0.68 > 255.255.255.255.67: xid:0x2c2a0655 [|bootp]
20:42:49.096637 10.1.1.5.67 > 10.1.1.10.68: xid:0x2c2a0655 Y:10.1.1.10
S:10.1.1.5 [|bootp] [tos 0x10]
20:42:49.099141 0.0.0.0.68 > 255.255.255.255.67: xid:0x2c2a0655 [|bootp]
20:42:49.100564 10.1.1.5.67 > 10.1.1.10.68: xid:0x2c2a0655 Y:10.1.1.10
S:10.1.1.5 [|bootp] [tos 0x10]
68 is the dhcp/bootp client port, 67 is the server port so something looks a
little wrong. It's also possible that I'm just making a fool of myself
since I'm terribly tired and should probably be in bed (having 4 1/2 month
old twins in the house does that to you).
Perhaps someone that has a better grip on this stuff could explain it?
Anyway, maybe try unplugging stuff until those packets stop if all else
fails. Also you can use tcpdump to grab the MAC address for the offending
machine and track it down that way as well
Cheers
Michael
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list