Hi guys, While looking at my /var/log/messages, I came across this line which caught my eye: May 14 11:01:27 my-host.my.domain kernel: LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20868 DF PRO<7>BANDWIDTH_OUT:IN=eth1 OUT=eth0 SRC=10.230.0.63 DST=10.230.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=51910 PROTO=UDP SPT=137 DPT=137 LEN=58 Interface eth1 is towards my LAN while eth0 is my external interface (facing the internet). The reason that this line caught my eye is because I have no hosts in the 10.230.0.0 subnet. So I am wondering what this means. The IP subnet masks for both interfaces are 255.255.255.252 allowing for only two hosts per interface's subnet. What could this IP address be for? Me.
@Simon, that's someone who ipspoofing your network with reserved numbers. On your firewall, setup a rule to block all reserved subnets because these are not routable. I'm out of here, that was my final response to the list for while. Asanteni. :-) On Fri, May 14, 2010 at 12:54 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Hi guys,
While looking at my /var/log/messages, I came across this line which caught my eye: May 14 11:01:27 my-host.my.domain kernel: LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20868 DF PRO<7>BANDWIDTH_OUT:IN=eth1 OUT=eth0 SRC=10.230.0.63 DST=10.230.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=51910 PROTO=UDP SPT=137 DPT=137 LEN=58
On Fri, May 14, 2010 at 1:40 PM, aki <aki275@googlemail.com> wrote:
@Simon, that's someone who ipspoofing your network with reserved numbers. On your firewall, setup a rule to block all reserved subnets because these are not routable.
I'm out of here, that was my final response to the list for while. Asanteni. :-)
Even from the grave, Aki, you cannot afford to miss the list for a month:) And you always chip in at the needed moment. Hizi siasa za hibernate achana nayo!!! -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
@Simon, incase you are wondering how I picked up the ipspoof quickly, I ran into such a situation a few years ago and it took me some hours to figure out what was happening including setting up an packet analysis. Since then if I ever setup a network, all reserved subnets on public wan are blocked. @Wash, sawa point taken. :-) just wanted to let others on the list contribute because there was a recent stage where listers were not okay with content discussed. But I always try and catchup on mails that need attention. Sorry did not respond to your subnet question but others had already responded well. On Fri, May 14, 2010 at 2:53 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
Even from the grave, Aki, you cannot afford to miss the list for a month:) And you always chip in at the needed moment. Hizi siasa za hibernate achana nayo!!! --
Hi aki, The interesting thing is that the spoofing computer appears to be in my LAN because it's accessing the firewall through the internal interface. I did a packet sniff using wireshark on "ip.src == 10.230.0.63" and got the ethernet address, then did another scan with the expression "ethernet.src == wh.at.i.got" and I got different LAN IP addresses... do I have a botnet or what?? The ethernet address is for a 3Com device. I have 3Com switches in my LAN. But 3Com switches aren't configured with IP addresses etc... unless 3COM themselves hardwired the configurations onto the devices... Anyway, my investigations continue on Monday. Let me know what you think. Me. On 14 May 2010 20:38, aki <aki275@googlemail.com> wrote:
@Simon, incase you are wondering how I picked up the ipspoof quickly, I ran into such a situation a few years ago and it took me some hours to figure out what was happening including setting up an packet analysis. Since then if I ever setup a network, all reserved subnets on public wan are blocked.
@Wash, sawa point taken. :-) just wanted to let others on the list contribute because there was a recent stage where listers were not okay with content discussed. But I always try and catchup on mails that need attention. Sorry did not respond to your subnet question but others had already responded well.
On Fri, May 14, 2010 at 2:53 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
Even from the grave, Aki, you cannot afford to miss the list for a month:) And you always chip in at the needed moment. Hizi siasa za hibernate achana nayo!!! --
Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs. On Fri, May 14, 2010 at 9:01 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Hi aki,
The interesting thing is that the spoofing computer appears to be in my LAN because it's accessing the firewall through the internal interface. I did a packet sniff using wireshark on "ip.src == 10.230.0.63" and got the ethernet address, then did another scan with the expression "ethernet.src == wh.at.i.got" and I got different LAN IP addresses... do I have a botnet or what?? The ethernet address is for a 3Com device. I have 3Com switches in my LAN. But 3Com switches aren't configured with IP addresses etc... unless 3COM themselves hardwired the configurations onto the devices... Anyway, my investigations continue on Monday.
Let me know what you think.
I blocked them on iptables... but I'm still investigating. On 14 May 2010 21:58, aki <aki275@googlemail.com> wrote:
Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs.
On Fri, May 14, 2010 at 9:01 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Hi aki,
The interesting thing is that the spoofing computer appears to be in my LAN because it's accessing the firewall through the internal interface. I did a packet sniff using wireshark on "ip.src == 10.230.0.63" and got the ethernet address, then did another scan with the expression "ethernet.src == wh.at.i.got" and I got different LAN IP addresses... do I have a botnet or what?? The ethernet address is for a 3Com device. I have 3Com switches in my LAN. But 3Com switches aren't configured with IP addresses etc... unless 3COM themselves hardwired the configurations onto the devices... Anyway, my investigations continue on Monday.
Let me know what you think.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Glad to read that! phew. :-) Check out the traffic that the source is generating and see its interest in your network. Then leave a small window open to it, possibly 32 bytes enough to run a ping packet. Since your network may not be busy at night, it is easier to identify the cause. Whatever opened up your network and say the local computer/device logs on in the morning, the spoof will become active again, this time they cannot openly move in your network looking for shared folders or weak passwords due to byte limit. Gives you enough time to fix the situation but I cannot stress you enough that your network is in a critical state so anything that is pending patches or updates is a target. Good luck. On Fri, May 14, 2010 at 10:00 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
I blocked them on iptables... but I'm still investigating.
On 14 May 2010 21:58, aki <aki275@googlemail.com> wrote:
Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs.
Were he packets originating from within your local network, or was it a case of packets from outside masquerading using reserved addresses? On 14 May 2010 22:28, aki <aki275@googlemail.com> wrote:
Glad to read that! phew. :-) Check out the traffic that the source is generating and see its interest in your network. Then leave a small window open to it, possibly 32 bytes enough to run a ping packet. Since your network may not be busy at night, it is easier to identify the cause. Whatever opened up your network and say the local computer/device logs on in the morning, the spoof will become active again, this time they cannot openly move in your network looking for shared folders or weak passwords due to byte limit. Gives you enough time to fix the situation but I cannot stress you enough that your network is in a critical state so anything that is pending patches or updates is a target. Good luck.
On Fri, May 14, 2010 at 10:00 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
I blocked them on iptables... but I'm still investigating.
On 14 May 2010 21:58, aki <aki275@googlemail.com> wrote:
Hey Simon, I hope you know how urgent and critical your network situation is. I'd not wait until Monday. Anyway its upto you to understand the real risk the spoof is carrying since you manage your network. Personally, I'd already have shut down the reserved subnets as I wrote earlier. HTHs.
Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (3)
-
aki -
Odhiambo Washington -
Simon Mbuthia