[Wylug-discuss] Another firewall problem
Peter Bingham
p.m.bingham at leeds.ac.uk
Thu Sep 27 13:55:32 BST 2007
A quick look at the port names listed shows this to be bootp/dhcp
requests (from a quick google which found
http://www.linklogger.com/UDP67_68.htm )
I don't know how your ISP organizes things; mine uses 10.x.x.x subnets
between the endpoint and the internet for some reason; you may be seeing
another machine in the area requesting an address as it's done via
broadcast (and not getting one, hence the repeats).
-----Original Message-----
From: wylug-discuss-bounces at wylug.org.uk
[mailto:wylug-discuss-bounces at wylug.org.uk] On Behalf Of Roger Beaumont
Sent: 27 September 2007 12:42
To: wylug-discuss at wylug.org.uk
Subject: [Wylug-discuss] Another firewall problem
Back to my firewall problems...
My previous problem now seems fixed, but the shorewall log is still
filling up the available (RAM-)disk space at a rate of knots.
A few seconds' sample is:
----------------------------------------
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=1793 PROTO=UDP
SPT=67 DPT=68 LEN=418
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=329 TOS=00 PREC=0x00 TTL=255 ID=1884 PROTO=UDP
SPT=67 DPT=68 LEN=309
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=338 TOS=00 PREC=0x00 TTL=255 ID=1889 PROTO=UDP
SPT=67 DPT=68 LEN=318
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=1931 PROTO=UDP
SPT=67 DPT=68 LEN=308
----------------------------------------
Due to the recent problems, I stored a copy of the shorewall log (that
was what gave me the clue that the IANA table was a problem) a couple of
days ago which includes:
----------------------------------------
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=57512 PROTO=UDP
SPT=67
DPT=68 LEN=308
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57515 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57525 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:44:00 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.3.161
DST=77.97.171.44 LEN=64 TOS=00 PREC=0x00 TTL=53 ID=40796 DF PROTO=TCP
SPT=51320 DPT=80 SEQ=2926628468 ACK=0 WINDOW=65535 SYN URGP=0 Sep 25
14:44:07 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47221 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:44:12 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47222 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:44:22 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.20.225
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=15009 DF PROTO=TCP
SPT=32870 DPT=80 SEQ=3994764391 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=59392 PROTO=UDP
SPT=67
DPT=68 LEN=308
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59395 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:46:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59398 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:46:55 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.22.235
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=1209 DF PROTO=TCP
SPT=44327 DPT=80 SEQ=4153290561 ACK=0 WINDOW=5840 SYN URGP=0
----------------------------------------
The last such entry in that file was at 15:09:26, but it continues with
the other stuff until Sep 26 00:08:53 - so it seems to me there was a
break in the attack for at least 9 hours.
Previously, when I've noticed that /var/logs had filled up, I've
rebooted the firewall, but I've noticed that the firewall Disk Status
report says:
----------------------------------------
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 6144 3364 2780 55% /
tmpfs 258376 1184 257192 0% /tmp
tmpfs 2048 928 1120 45% /var/log
----------------------------------------
so this time I've moved shorewall.log.0 to /tmp to preserve the record.
While I've been typing, that's changed to
----------------------------------------
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 6144 3368 2776 55% /
tmpfs 258376 1184 257192 0% /tmp
tmpfs 2048 1076 972 53% /var/log
----------------------------------------
I've discovered that RFC1918 says:
----------------------------------------
3. Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private
internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
----------------------------------------
so think I understand that the "SRC=10.153.192.1" field in those records
indicates a spoofed IP - it should only be valid inside a private net
and
shouldn't come over the Internet.
Questions:
1. Am I right that "IN=eth0" indicates the traffic is from outside?
2. Is my understanding that I am being attacked using a spoofed IP
number
correct?
3. Is this more than a nuisance; is the attack dangerous?
4. Apart from clearing the /var/log directory so there is space for
current
entries, is there anything else I should, or shouldn't be doing?
Thanks in advance,
Roger
PS A final glance at what's accumulated since I started this mail
showed:
----------------------------------------
Sep 27 11:44:36 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=24473 PROTO=UDP
SPT=67 DPT=68 LEN=418
Sep 27 11:44:38 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.22
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=4906 DF PROTO=UDP
SPT=53 DPT=12580 LEN=133
Sep 27 11:44:39 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=24567 PROTO=UDP
SPT=67 DPT=68 LEN=308
Sep 27 11:44:40 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=53016 DF PROTO=UDP
SPT=53 DPT=34035 LEN=133
Sep 27 11:44:42 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21
DST=77.97.171.44 LEN=229 TOS=00 PREC=0x00 TTL=247 ID=53485 DF PROTO=UDP
SPT=53 DPT=47024 LEN=209
Sep 27 11:44:44 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=339 TOS=00 PREC=0x00 TTL=255 ID=24615 PROTO=UDP
SPT=67 DPT=68 LEN=319
----------------------------------------
with "SRC=10.1.3.22" and "SRC=10.1.3.21" starting to appear as well as
the
overwhelming proportion of "SRC=10.153.192.1" entries. Is that
significant?
R
_______________________________________________
Wylug-discuss mailing list
Wylug-discuss at wylug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss
More information about the Wylug-discuss
mailing list