Security Incidents mailing list archives
Re: Strange Happenings @Home
From: woods () WEIRD COM (Greg A. Woods)
Date: Fri, 2 Jun 2000 01:18:08 -0400
[ On Thursday, June 1, 2000 at 17:56:24 (-0400), Chris Wilson wrote: ]
Subject: Re: Strange Happenings @Home The bootp stuff is typically other @Home users getting their IP addresses via DHCP. Your firewall blocks and logs because the DHCP requests are sent to the subnet's broadcast address, forcing your firewall to process them.
Yes, this is quite likely if you're on one of the bridge-style modems that allow you to see broadcast traffic on your local subnet. If you're on a Terayon modem or similar though you won't see this traffic (and indeed you cannot see any traffic that is not destined directly to your IP address). Rogers @Home in Toronto is now starting to deploy Terayon's modems and they are really nice and quiet! ;-)
The high-numbered port hits could be scans for backdoor trojans; sometimes doing a web search for the port number reveals a lesser-known backdoor program.
Yup, though usually the destination port number is one of the netbios-* services.
For the 192.168.x.x addresses, try doing a traceroute to them to see if it's just an internal subnet in the @Home intranet (likely, assuming you can get a route to them).
A lot of that is also a result of backdoor trojans working from hosts with RFC1918 addresses.... It would be really cool if we could convince @Home to filter RFC1918 addresses not only at their network borders, but also at all ingress points from customers too (eg. on all head-end routers/gateways!). The LanCity cable modems can do lots of neat-o filtering, but the Terayon cannot unfortunately.
I see a lot of all of the above in my Linux firewall logs on my Roadrunner cable modem account at home, except the nonroutable addresses are typically 10.0.x.x (and appear to be internal Roadrunner network devices).
Yes, this is also quite often the case on @Home's various networks. The Rogers network in Toronto also uses 10.x.x.x for various routers. This may be a very good argument to convince @Home that they should be filtering all RFC1918 addresses (except as necessary to implement internal routing hops, of course) -- it will ensure that their routers are just that much mroe secure! Of course routers using RFC1918 addresses for point-to-point links on a public network should really never ever be generating ICMP responses that have private source addresses -- each device should also have a proper public address for such purposes..... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Strange Happenings @Home Mark Tinberg (Jun 01)
- <Possible follow-ups>
- Re: Strange Happenings @Home Chris Wilson (Jun 01)
- Re: Strange Happenings @Home Greg A. Woods (Jun 01)