I ran into this same thing a few months ago, it turned out that the source
was a misconfigured router going from the local ethernet to the token ring
WAN. The easiest way to find the culprit is to set up a filter on some
sniffing/packet logging program to read the MAC address of the packets
matching the ones below, then determine the source's address by matching all
IP packets with the MAC address in the original packets. Hope this helps
and goodluck.
-HD
http://nlog.ings.com
http://www.trinux.org
http://www.opensec.net
-----Original Message-----
From: Joshua Chamas <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Sunday, May 23, 1999 3:25 PM
Subject: Odd UDP Probe - Bootstrap ?
>Hey,
>
>Got another one for y'all. Port 67 on UDP seems to be the bootstrap
>protocol. This was reported coming into my external firewall interface.
>
>> (1) May 22 15:22:25 router 25 deny: UDP from 0.0.0.0.1029 to
255.255.255.255.67
>> (1) May 22 15:22:27 router 25 deny: UDP from 0.0.0.0.1030 to
255.255.255.255.67
>> (1) May 22 15:22:30 router 25 deny: UDP from 0.0.0.0.1031 to
255.255.255.255.67
>> (1) May 22 15:22:32 router 25 deny: UDP from 0.0.0.0.1032 to
255.255.255.255.67
>> (1) May 22 15:22:35 router 25 deny: UDP from 0.0.0.0.1033 to
255.255.255.255.67
>
>Am I right in thinking that this might be some misconfigured client
>outside the firewall? The thing that bugs me here is the lack
>of routable IP on the return address.
>
>I like being able to report on these kinds of things, but I wouldn't
>know where to go with this, except my upstream ISP.
>
>Thanks,
>
>Joshua
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
