OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IP fw-in deny spam in logs
From: Erich Meier (Erich.MeierINFORMATIK.UNI-ERLANGEN.DE)
Date: Thu Apr 13 2000 - 05:08:24 CDT

On Tue, Apr 11, 2000 at 05:56:02PM -0700, Jason Baker wrote:
> I'm trying to track this down, see if it's actually somebody trying to spoof
> the localhost interface remotely, or something else running internally
> (bootpc and bootps are both turned off on the server.
>
> Basically, I get this spewed into the logfiles... I'll get a bunch, 8
> seconds apart, then nothing for a few minutes, then another clump.
>
> Apr 11 04:04:42 HostnameRemoved kernel: IP fw-in deny eth0 UDP 127.0.0.1:68
> +255.255.255.255:67 L=276 S=0x00 I=60857 F=0x0000 T=128
>
> I'd assume this is coming from these stock rules in the debian netbase:
>
> # deny incoming packets pretending to be from 127.0.0.1
> ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
> 2>/dev/null || true
> ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
> 2>/dev/null || true
> ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
> >/dev/null
> ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
> >/dev/null

This smells like a simple DHCP or BOOTP request. It comes from localhost port
bootp client (68) and goes to local broadcast port bootp server (67).

Erich 

--
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."