strange log

strange log

[Keith Tin]

[-- Attachment #1: Type: text/plain, Size: 487 bytes --]

Hi, I found something strange in my iptables log. It was strange because I put my server at ISP and I don't know why there was an internal IP logged by my server. May  2 16:55:35 ABC kernel: FW-REJECT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:5a:63:d3:d8:08:00 SRC=192.168.93.1 DST=255.255.255.255 LEN=276 TOS=0x00 PREC=0x00 TTL=128 ID=34884 PROTO=UDP SPT=68 DPT=67 LEN=256 How can I block these kind of IP? Thanks, Keith
第二世(謝霆鋒)，習慣失戀(容祖兒)，兄妹(陳奕迅)...
Yahoo! 鈴聲下載

[-- Attachment #2: Type: text/html, Size: 1080 bytes --]

Re: strange log

[Cedric Blancher]

Le ven 02/05/2003 à 11:47, Keith Tin a écrit :
> I found something strange in my iptables log. It was strange because I
> put my server at ISP and I don't know why there was an internal IP
> logged by my server.
>  
> May  2 16:55:35 ABC kernel: FW-REJECT IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:10:5a:63:d3:d8:08:00 SRC=192.168.93.1
>  DST=255.255.255.255 LEN=276 TOS=0x00 PREC=0x00 TTL=128 ID=34884
>  PROTO=UDP SPT=68 DPT=67 LEN=256

Broadcast UDP packet from port 68 to port 67

$ grep 6[78]/udp /etc/services
bootps          67/udp
bootpc          68/udp
[...]

This is DHCP request from client to server. For client already has an
IP, I would say it is a DHCP request confirmation or a bail renewal.
 
> How can I block these kind of IP?

Block all private IPs if they're not supposed to reach your server.
I agree it's quite unsual to see DHCP stuff within a hosting
infrastructure.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: strange log

[Alexander Demenshin]

On Sun, May 04, 2003 at 01:29:18AM +0200, Cedric Blancher wrote:

> I agree it's quite unsual to see DHCP stuff within a hosting
> infrastructure.

  It depends. Some ISP use DHCP to assign IP addresses to customer's
  servers.
  
Regards,
/Al

Re: strange log

[Cedric Blancher]

Le dim 04/05/2003 à 01:45, Alexander Demenshin a écrit :
>   It depends. Some ISP use DHCP to assign IP addresses to customer's
>   servers.

DHCP is a very weak system from security point of vue, that can easily
lead to DoS and traffic redirection. A customer server compromise could
be a serious threat for other servers...

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: strange log

[Alexander Demenshin]

On Sun, May 04, 2003 at 02:10:24AM +0200, Cedric Blancher wrote:

> DHCP is a very weak system from security point of vue, that can easily
> lead to DoS and traffic redirection.

  When you have few hundreths servers, there is no better way to
  assign/change IPs. And even without DHCP, there are a lot of ways
  for traffic redirection (ARP poisoning and so on).

> A customer server compromise could be a serious threat for other servers...

  When server is not managed, or when attacker is inside of hosting segment
  - perhaps. But when attacker is outside - there is no way to compromise
  the host through DHCP. If it is compromised by other means - DHCP is not the
  cause, so? :)
  
  Even MAC filtering is weak - modern NICs may have any MAC, it is configurable.
  
  No system is secure - unless it is plugged off and burned out. And even then...
  but this is another story :)

Regards,
/Al

strange log

[Emilio Casbas]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

Hi,

We've seen  in the firewall's log of transparent proxy this messege from 
different ips repeteadly :

Apr 21 21:28:55 moria kernel: TCP: Treason uncloaked! Peer 
external_ip/80 shrinks window 1466359669:1466360884. Repaired.

We've googling, but we dont know if is an attack or a bad negotiation.
Any suggestion?

Thanks
Emilio C.


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3958 bytes --]