[Wylug-discuss] Another firewall problem

Peter Bingham p.m.bingham at leeds.ac.uk
Thu Sep 27 13:55:32 BST 2007 

 

A quick look at the port names listed shows this to be bootp/dhcp
requests (from a quick google which found
http://www.linklogger.com/UDP67_68.htm )

I don't know how your ISP organizes things; mine uses 10.x.x.x subnets
between the endpoint and the internet for some reason; you may be seeing
another machine in the area requesting an address as it's done via
broadcast (and not getting one, hence the repeats).




-----Original Message-----
From: wylug-discuss-bounces at wylug.org.uk
[mailto:wylug-discuss-bounces at wylug.org.uk] On Behalf Of Roger Beaumont
Sent: 27 September 2007 12:42
To: wylug-discuss at wylug.org.uk
Subject: [Wylug-discuss] Another firewall problem

Back to my firewall problems...

My previous problem now seems fixed, but the shorewall log is still
filling up the available (RAM-)disk space at a rate of knots.

A few seconds' sample is:
----------------------------------------
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=1793 PROTO=UDP
SPT=67 DPT=68 LEN=418
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=329 TOS=00 PREC=0x00 TTL=255 ID=1884 PROTO=UDP
SPT=67 DPT=68 LEN=309
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=338 TOS=00 PREC=0x00 TTL=255 ID=1889 PROTO=UDP
SPT=67 DPT=68 LEN=318
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=1931 PROTO=UDP
SPT=67 DPT=68 LEN=308
----------------------------------------

Due to the recent problems, I stored a copy of the shorewall log (that
was what gave me the clue that the IANA table was a problem) a couple of
days ago which includes:

----------------------------------------
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=57512 PROTO=UDP
SPT=67
DPT=68 LEN=308
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57515 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57525 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:44:00 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.3.161
DST=77.97.171.44 LEN=64 TOS=00 PREC=0x00 TTL=53 ID=40796 DF PROTO=TCP
SPT=51320 DPT=80 SEQ=2926628468 ACK=0 WINDOW=65535 SYN URGP=0 Sep 25
14:44:07 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47221 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:44:12 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47222 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:44:22 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.20.225
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=15009 DF PROTO=TCP
SPT=32870 DPT=80 SEQ=3994764391 ACK=0 WINDOW=5840 SYN URGP=0 Sep 25
14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=59392 PROTO=UDP
SPT=67
DPT=68 LEN=308
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59395 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:46:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59398 PROTO=UDP
SPT=67
DPT=68 LEN=337
Sep 25 14:46:55 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.22.235
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=1209 DF PROTO=TCP
SPT=44327 DPT=80 SEQ=4153290561 ACK=0 WINDOW=5840 SYN URGP=0
----------------------------------------
The last such entry in that file was at 15:09:26, but it continues with
the other stuff until Sep 26 00:08:53 - so it seems to me there was a
break in the attack for at least 9 hours.


Previously, when I've noticed that /var/logs had filled up, I've
rebooted the firewall, but I've noticed that the firewall Disk Status
report says:
----------------------------------------
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 6144      3364      2780  55% /
tmpfs                   258376      1184    257192   0% /tmp
tmpfs                     2048       928      1120  45% /var/log
----------------------------------------
so this time I've moved shorewall.log.0 to /tmp to preserve the record.
While I've been typing, that's changed to
----------------------------------------
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 6144      3368      2776  55% /
tmpfs                   258376      1184    257192   0% /tmp
tmpfs                     2048      1076       972  53% /var/log
----------------------------------------


I've discovered that RFC1918 says:
----------------------------------------
3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private
internets:

      10.0.0.0        -   10.255.255.255  (10/8 prefix)
      172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
      192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
----------------------------------------
so think I understand that the "SRC=10.153.192.1" field in those records

indicates a spoofed IP - it should only be valid inside a private net
and 
shouldn't come over the Internet.

Questions:
1. Am I right that "IN=eth0" indicates the traffic is from outside?
2. Is my understanding that I am being attacked using a spoofed IP
number 
correct?
3. Is this more than a nuisance; is the attack dangerous?
4. Apart from clearing the /var/log directory so there is space for
current 
entries, is there anything else I should, or shouldn't be doing?

Thanks in advance,

Roger

PS  A final glance at what's accumulated since I started this mail
showed:
----------------------------------------
Sep 27 11:44:36 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=24473 PROTO=UDP 
SPT=67 DPT=68 LEN=418
Sep 27 11:44:38 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.22 
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=4906 DF PROTO=UDP 
SPT=53 DPT=12580 LEN=133
Sep 27 11:44:39 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=24567 PROTO=UDP 
SPT=67 DPT=68 LEN=308
Sep 27 11:44:40 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21 
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=53016 DF PROTO=UDP 
SPT=53 DPT=34035 LEN=133
Sep 27 11:44:42 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21 
DST=77.97.171.44 LEN=229 TOS=00 PREC=0x00 TTL=247 ID=53485 DF PROTO=UDP 
SPT=53 DPT=47024 LEN=209
Sep 27 11:44:44 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=339 TOS=00 PREC=0x00 TTL=255 ID=24615 PROTO=UDP 
SPT=67 DPT=68 LEN=319
----------------------------------------
with "SRC=10.1.3.22" and "SRC=10.1.3.21" starting to appear as well as
the 
overwhelming proportion of "SRC=10.153.192.1" entries.  Is that
significant?

R


_______________________________________________
Wylug-discuss mailing list
Wylug-discuss at wylug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss

More information about the Wylug-discuss mailing list