[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Paranoid of BootP Attack?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Paranoid of BootP Attack?
From: Shane Kaeo <openbsdexpert_(_at_)_gmail_(_dot_)_com>
Date: Mon, 14 Feb 2005 15:38:45 -0800
Reply-to: Shane Kaeo <openbsdexpert_(_at_)_gmail_(_dot_)_com>

I am running pf on a 3.5 OBSD box and the following traffic appears in
my pflog when I
tcpdump -n -e -ttt -i pflog0

Should I be concerned with this traffic.  I appears to be just (bootp)
but the network
I connect to from the ISP is the 131.194.X.X network.  I am a bit
confused at this traffic
and when I talked with the ISP they said "I am not sure about that but
it appears now
and then".  I am not excited to hear that they don't know what's going on.  Any
assistance would be great.

Note: I am blocking this traffic but I have not set up any Pf rules
from denying packets
from unroutable networks.  I don't know if I need that or not as I am
denying by default.
I see it as somewhat redundant> however I am open to your suggestions.


P.S I googled for bootp attack and found a couple of articles but I am
unaware of how to
know exactly if this is attack or just chatter?


Feb 14 06:40:48.885379 rule 0/0(match): block in on rl0: 10.101.0.1 > 224.0.0.1:
 igmp query [tos 0xc0] [ttl 1]
Feb 14 06:40:50.981481 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x5c76374 flags:0x8000 Y:10.101.23.248 [|bootp]
Feb 14 06:40:51.076631 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x5c76374 flags:0x8000 Y:10.101.23.248 [|bootp]
Feb 14 06:40:55.502241 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x4e153fc6 flags:0x8000 Y:131.191.28.136 [|bootp]
Feb 14 06:41:03.211895 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0xf32b02dd flags:0x8000 Y:10.101.5.97 [|bootp]
Feb 14 06:41:26.372377 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x73b2685d flags:0x8000 Y:10.101.25.88 [|bootp]
Feb 14 06:41:28.946461 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x73b2685d flags:0x8000 Y:10.101.25.88 [|bootp]
Feb 14 06:41:48.967954 rule 0/0(match): block in on rl0: 10.101.0.1 > 224.0.0.1:
 igmp query [tos 0xc0] [ttl 1]
Feb 14 06:42:37.039153 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0xba11aa80 flags:0x8000 Y:131.191.28.196 [|bootp]
Feb 14 06:42:37.049955 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0xba11aa80 flags:0x8000 Y:131.191.28.196 [|bootp]
Feb 14 06:42:49.003766 rule 0/0(match): block in on rl0: 10.101.0.1 > 224.0.0.1:
 igmp query [tos 0xc0] [ttl 1]
Feb 14 07:18:58.076130 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x36989e35 flags:0x8000 Y:131.191.28.196 [|bootp]
Feb 14 07:19:24.677356 rule 0/0(match): block in on rl0: 10.101.0.1.67 > 255.255
.255.255.68:  xid:0x88443322 flags:0x8000 C:131.191.59.61 Y:131.191.59.61 [|boot
p]

Prev by Date: creating files on /dev/fd0a
Next by Date: Intel Pro 2200BG Wireless Adapter
Previous by thread: creating files on /dev/fd0a
Next by thread: Intel Pro 2200BG Wireless Adapter
Index(es):
- Date
- Thread

Visit your host, monkey.org