Security Incidents mailing list archives

RE: Odd entries in my Security Router logs

From: "Andrews, Jonathan (US - Hermitage)" <joandrews () deloitte com>
Date: Tue, 10 Dec 2002 11:17:54 -0600

192.168.0.0/16 is a privately addressed netblock.  These packets could not
be routed over the Internet.  Do you NAT at your edge router and were these
traces obtained from the "internal" interface of your router?

If so, this would have to be something on your internal network broadcasting
this traffic.




Jonathan Andrews, CISSP CCSA
Sr. Information Security Analyst
Network Security Group
Deloitte & Touche







-----Original Message-----
From: Julian Young [mailto:julian.young () nl compuware com]
Sent: Monday, December 09, 2002 3:38 AM
To: incidents () securityfocus com
Subject: Odd entries in my Security Router logs


I keep seeing these entry in my external routers log files.  Does any
one recognize theme and know what type of attack they are. ok is
obviously something to do with DHCP.   but i recently had  a firewall 
compromised  and i still don't know how.  since that wall had dhcp open
I wounder if this could have been the trick. 

I has left the ip number as they are since none of them belong to me or
in any range i use ! 

#   Time        Packet Information                             
Reason            Action
  1|Dec  8 02 |From:192.168.7.249   To:192.168.255.254 |match          
|block  
   | 09:37:12 |UDP     src port:00068 dest port:00067  |service deny   
|      
  2|Dec  8 02 |From:192.168.8.250   To:192.168.255.254 |match          
|block  
   | 09:37:12 |UDP     src port:00068 dest port:00067  |service deny   
|      
  3|Dec  8 02 |From:192.168.7.249   To:192.168.255.254 |match          
|block  
   | 15:45:32 |UDP     src port:00068 dest port:00067  |service deny   
|      




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
- This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  -
If you are not the intended recipient, you should delete this message and
are hereby notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly prohibited.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Odd entries in my Security Router logs Jim Terry (Dec 11)
- RE: Odd entries in my Security Router logs Julian Young (Dec 11)
- <Possible follow-ups>
- RE: Odd entries in my Security Router logs Andrews, Jonathan (US - Hermitage) (Dec 11)
  - RE: Odd entries in my Security Router logs Julian Young (Dec 11)
  - Re: Odd entries in my Security Router logs Michael Sierchio (Dec 11)
    - RE: Odd entries in my Security Router logs David Gillett (Dec 11)
    - Re: Odd entries in my Security Router logs Valdis . Kletnieks (Dec 12)
    - Re: Odd entries in my Security Router logs Valdis . Kletnieks (Dec 12)
  - Re: Odd entries in my Security Router logs James C. Slora Jr. (Dec 11)
    - Re: Odd entries in my Security Router logs HggdH (Dec 12)