Unusual packet traffic

[chy at genuity.com (Chuck Young)]

Is your external interface directly connected to a cable/dsl line?  If so,
expect a lot of broadcast junk.  It's probably a newbie with "home networking"
who is not correctly configured, who is also on your segment.  Maybe speed
dictates no ingress filters at the last mile beyond the modem's NETBios ports.

More likely a client than a server from your ISP.  My $.02.

---------------
Chuck Young
Security Consulting
Genuity E-Services
--------------------

> -----Original Message-----
> From: discuss-admin at blu.org [mailto:discuss-admin at blu.org]On Behalf Of
> Bill Horne
> Sent: Saturday, January 11, 2003 3:55 PM
> To: discuss at blu.org
> Subject: Unusual packet traffic
>
>
> Hi, thanks for reading this.
>
> I just added a firewall rule that logs any attempt to spoof IP
> addresses. The rule logs any incoming traffic from RFC1918 (i.e.,
> "detached network") addresses.
>
> I got a lot of packets like this in the log today. At first glance, it
> looks like someone is trying to connect a device that's setup for
> BOOTP, but the source port is 67, not 68. The only thing I can think
> of is that it's the cable company advertising DHCP services for the
> cable modems.
>
> Opinions?
>
> Jan 11 15:18:43 billhorne kernel: IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:b0:8e:f5:10:54:08:00 SRC=10.219.216.1
> DST=255.255.255.255 LEN=360 TOS=0x00 PREC=0x00 TTL=255 ID=24721
> PROTO=UDP SPT=67 DPT=68 LEN=340
>
> Bill
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>