[Nottingham] iptables log analysis
Andy Brown
nottingham at mailman.lug.org.uk
Thu Sep 18 17:09:00 2003
On Thu, 18 Sep 2003, Duncan John Fyfe wrote:
>* Q1:
>Which side of the cable modem, NTL side or my side, do the flashing lights indicate traffic on ?
>I had always assumed it was the NTL side.
Might depends on the cable modem. on mine (old 3Com thing) there's an
activity light for both.
>(before being DROP'd).
>
>The first rule :
>
> $IPTABLES -A INPUT -p udp -j LOG --log-level error --log-prefix " IPT: INP udp "
>
>Catches anything I haven't explicitly dealt with before dropping it and is forever logging:
>
>Sep 18 07:04:12 dragon kernel: IPT: INP udp IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00 SRC=10.145.167.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=53124 PROTO=UDP SPT=67 DPT=68 LEN=308
>Sep 18 07:04:12 dragon kernel: IPT: INP udp IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00 SRC=10.145.167.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=53127 PROTO=UDP SPT=67 DPT=68 LEN=308
>
>These arrive in pairs every 2-3 minutes. The IP address is always the same (10.145.167.254) and it is alway DST=255.255.255.255.
>I'm assuming from the ports that this is aimed at the eth0 dhcp client.
>The IP address is private and 'similar' to that of my cable modem (10.145.*.*) but not even close to that
>of either my cable modem (213.*.*.*), ntl dhcp server (62.243.0.*) anything else for that matter.
>
>'dig -x 10.145.167.254' (from within NTL) sends me straight to jail (10.in-addr-arpa. blah blah SOA prisoner.iana.org)
>so no help there.
ports 67/68 are to do with bootp and dhcp, yes.
NTL use the 10.0.0.0/8 numbers for UBRs/DHCP servers, so that's
probably what it is.
>
>* Q3:
>Either I'm being pinged a lot by random people (1763 uniq IP
>addresses in 2972 messages, mostly originating within ntl) or my
It's got so bad I'm just rejecting icmp 8 without logging, as it was
swamping my logs.
I /think/ it's one of the windows worms looking for machines, as it
started up round about blaster time.
--
Andy Brown