Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Happenings @Home

From: woods () WEIRD COM (Greg A. Woods)
Date: Fri, 2 Jun 2000 01:18:08 -0400

[ On Thursday, June 1, 2000 at 17:56:24 (-0400), Chris Wilson wrote: ]

Subject: Re: Strange Happenings @Home

The bootp stuff is typically other @Home users getting their IP addresses
via DHCP.  Your firewall blocks and logs because the DHCP requests are sent
to the subnet's broadcast address, forcing your firewall to process them.


Yes, this is quite likely if you're on one of the bridge-style modems
that allow you to see broadcast traffic on your local subnet.

If you're on a Terayon modem or similar though you won't see this
traffic (and indeed you cannot see any traffic that is not destined
directly to your IP address).  Rogers @Home in Toronto is now starting
to deploy Terayon's modems and they are really nice and quiet!  ;-)


The high-numbered port hits could be scans for backdoor trojans; sometimes
doing a web search for the port number reveals a lesser-known backdoor
program.


Yup, though usually the destination port number is one of the netbios-*
services.


For the 192.168.x.x addresses, try doing a traceroute to them to see if it's
just an internal subnet in the @Home intranet (likely, assuming you can get
a route to them).


A lot of that is also a result of backdoor trojans working from hosts
with RFC1918 addresses....

It would be really cool if we could convince @Home to filter RFC1918
addresses not only at their network borders, but also at all ingress
points from customers too (eg. on all head-end routers/gateways!).

The LanCity cable modems can do lots of neat-o filtering, but the
Terayon cannot unfortunately.


I see a lot of all of the above in my Linux firewall logs on my Roadrunner
cable modem account at home, except the nonroutable addresses are typically
10.0.x.x (and appear to be internal Roadrunner network devices).


Yes, this is also quite often the case on @Home's various networks.  The
Rogers network in Toronto also uses 10.x.x.x for various routers.

This may be a very good argument to convince @Home that they should be
filtering all RFC1918 addresses (except as necessary to implement
internal routing hops, of course) -- it will ensure that their routers
are just that much mroe secure!

Of course routers using RFC1918 addresses for point-to-point links
on a public network should really never ever be generating ICMP
responses that have private source addresses -- each device should also
have a proper public address for such purposes.....

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: