Log flooded with these...

Log flooded with these...

[Simon]

Hello,

I'm not sure whats going on here, but I came in today and my log is
being flooded with these... about once per second, I get 2 or 3 of the
following:

Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=46967
PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:04:5a:8f:d6:11:08:00 SRC=192.168.1.250
DST=255.255.255.255 LEN=347 TOS=0x00 PREC=0x00 TTL=128 ID=55784
PROTO=UDP SPT=67 DPT=68 LEN=327
Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=128 ID=46968
PROTO=UDP SPT=68 DPT=67 LEN=340

The only things that I can see that change are the date/times (of
course) and the ID=value

192.168.1.250 is the only windows domain controller (DHCP, DNS and file
services)...

For a long time, I've seen things like this in the logs - in fact I even
asked about it here once a few months ago, but got busy and didn't
follow up on 'fixing' it - but it was never just continuous like this...

First question is, is this anything to be concerned about?

If not, how can I silence these in my logs?

Tia for any help/suggestions - Simon...

Output of iptables-save follows:

# Generated by iptables-save v1.3.8 on Sat Oct 18 16:11:52 2008
*raw
:PREROUTING ACCEPT [222633286:130337506706]
:OUTPUT ACCEPT [186475744:266358392165]
COMMIT
# Completed on Sat Oct 18 16:11:52 2008
# Generated by iptables-save v1.3.8 on Sat Oct 18 16:11:52 2008
*nat
:PREROUTING ACCEPT [3310784:561609823]
:POSTROUTING ACCEPT [289167:19127565]
:OUTPUT ACCEPT [300907:21670186]
COMMIT
# Completed on Sat Oct 18 16:11:52 2008
# Generated by iptables-save v1.3.8 on Sat Oct 18 16:11:52 2008
*mangle
:PREROUTING ACCEPT [621778831:356231181731]
:INPUT ACCEPT [621741184:356222148032]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [510767123:743977057165]
:POSTROUTING ACCEPT [510654750:743968032926]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Sat Oct 18 16:11:52 2008
# Generated by iptables-save v1.3.8 on Sat Oct 18 16:11:52 2008
*filter
:INPUT DROP [1492298:264275398]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21460:2536934]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7
-A INPUT -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7
COMMIT
# Completed on Sat Oct 18 16:11:52 2008

Re: Log flooded with these...

[Simon]

On 10/19/2008 11:18 AM, Simon wrote:
> Hello,
> 
> I'm not sure whats going on here, but I came in today and my log is
> being flooded with these... about once per second, I get 2 or 3 of the
> following:

Ok, reviewing the logs to see when these started, it was right at 3:00pm
yesterday (Saturday), and less than a minute after the hourly cron job
ran - up until then, the logs looked completely normal:

Oct 18 15:00:01 myhost cron[22911]: (root) CMD (rm -f
/var/spool/cron/lastrun/cron.hourly)
Oct 18 15:00:01 myhost cron[22912]: (root) CMD (test -x
/usr/sbin/run-crons && /usr/sbin/run-crons )
Oct 18 15:00:51 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:11:2f:36:c6:4c:08:00 SRC=192.168.1.47
DST=255.255.255.
255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=18229 PROTO=UDP SPT=68 DPT=67
LEN=308
Oct 18 15:01:38 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
DST=255.255.255.255 L
EN=328 TOS=0x00 PREC=0x00 TTL=128 ID=351 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 18 15:01:38 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:04:5a:8f:d6:11:08:00 SRC=192.168.1.250
DST=255.255.255
.255 LEN=347 TOS=0x00 PREC=0x00 TTL=128 ID=12140 PROTO=UDP SPT=67 DPT=68
LEN=327
Oct 18 15:01:38 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
DST=255.255.255.255 L
EN=360 TOS=0x00 PREC=0x00 TTL=128 ID=352 PROTO=UDP SPT=68 DPT=67 LEN=340

I have installed a few updates recently, but not iptables...

There was an update available for it - has been for a while - so I went
ahead and updated it, but the problem persists... I also tried updating
the kernel (there's been an update available for it for a while too) and
rebooted, but again, the problem remains...

Everything else on this server seems fine (mail, web)...

Is the domain controller actually doing something it shouldn't? It seems
to be fine, nothing unusual in the logs for it...

Besides - it is just way too suspicious that this started exactly at
3:00pm, and immediately following the hourly cron job...

Anyone have any ideas?

Re: Log flooded with these...

[Simon]

On 10/19/2008 12:03 PM, Doc Nielsen wrote:
> SPT=68 DPT=67 = DHCP
> 
> did you allow dhcp client/server requests and responses in the
> firewall?

Hey Doc,

Thanks for taking a look...

This is an well-established network, no major/unusual changes prior to
these entries showing up in the log, especially to firewall rules.

> do you have a running dhcp server/client?

The domain controller is the DHCP/DNS server, running Windows Server
2000. The linux server running iptables that has this logging issue has
a static IP, and is not (obviously) running a DHCP server or client.

> what kind of firewall are you using, as frontend for iptables?

I'm not using a 'front-end' - this is a gentoo linux box that serves a
mail and web server, which I also run iptables on for obvious reasons.
It has been running for over 3 years, is kept updated regularly (though
not obsessively so), and survived all of the ensuing major updates to date.

The only things I updated that day - but it was a few hours before this
started - was libpcre and udev...

Any other ideas?

Re: Log flooded with these...

[Simon]

On 10/19/2008, Simon (tanstaafl@libertytrek.org) wrote:
> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=46967
> PROTO=UDP SPT=68 DPT=67 LEN=308
> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:04:5a:8f:d6:11:08:00 SRC=192.168.1.250
> DST=255.255.255.255 LEN=347 TOS=0x00 PREC=0x00 TTL=128 ID=55784
> PROTO=UDP SPT=67 DPT=68 LEN=327
> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=128 ID=46968
> PROTO=UDP SPT=68 DPT=67 LEN=340

Help! I'm not an iptables guy... at a minimum, is there a way to just
tell iptables to stop logging these (silently drop)? I'll continue to
troubleshoot, if there is a problem, but this is making my logs
virtually (not totally, but almost) useless...

Also, I guess it would be good to have the reverse command handy - how
to turn this off and on, so I can test if the problem persists...

Thanks

Re: Log flooded with these...

[Simon]

Ok... whew... found the problem...

I was way too focused on the fact of when these started (right after the
cron job), and was assuming it was a problem on the linux box...

Turned out to be 3 problem entries on the (windows) dhcp server (don't
ask - its not my call)...

Deleted/recreated these, and the flood has stopped...

I would still like to review my rules though, and make a few
modifications so that the windows stuff gets silently dropped...

Re: Log flooded with these...

[Robert Nichols]

Simon wrote:
> On 10/19/2008, Simon (tanstaafl@libertytrek.org) wrote:
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
>> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=46967
>> PROTO=UDP SPT=68 DPT=67 LEN=308
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:04:5a:8f:d6:11:08:00 SRC=192.168.1.250
>> DST=255.255.255.255 LEN=347 TOS=0x00 PREC=0x00 TTL=128 ID=55784
>> PROTO=UDP SPT=67 DPT=68 LEN=327
>> Oct 19 11:10:33 myhost IPTABLES-IN Default Drop: IN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:69:16:89:08:00 SRC=0.0.0.0
>> DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=128 ID=46968
>> PROTO=UDP SPT=68 DPT=67 LEN=340
> 
> Help! I'm not an iptables guy... at a minimum, is there a way to just
> tell iptables to stop logging these (silently drop)? I'll continue to
> troubleshoot, if there is a problem, but this is making my logs
> virtually (not totally, but almost) useless...
> 
> Also, I guess it would be good to have the reverse command handy - how
> to turn this off and on, so I can test if the problem persists...

All of those groups of 3 packets look like normal DHCP broadcast packets
by machines that do not yet have an IP address assigned.  Looking at the
above packets, the first is probably a DHCPDISCOVER sent from MAC address
00:1c:c0:69:16:89 (a device made by Intel, Malasia), the second would
be the DHCPOFFER sent by your Windows domain controller at IP address
192.168.1.250 and relayed through a Linksys router with MAC address
00:04:5a:8f:d6:11, and the third a DHCPREQUEST sent from the same
device that sent the first packet.

It all looks normal apart from the sudden increase in frequency.  Are
machines on your network having trouble getting an IP address assigned
from your domain controller?  Note that these are NOT lease renewals --
renewals do not use broadcast packets.

You can filter these out of the log quite easily by adding a
"--dst ! 255.255.255.255" matcher to the LOG rule so that broadcast
packets do not get logged.

-A INPUT --dst ! 255.255.255.255 -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7


-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.