On Friday 10 March 2006 00:27, Simon Knight wrote:
> I also requested Telstra look into the 172.20.18.55 port 67 issue I have
> logged similar packet counts with IPCOP 1.4.10 over the duration others
> here have seen i.e. the last few months at least and after 4 emails
> and 11 days with no response this is the reply I received today, it
> seems to be a interestering way of attempting to explain whats going
> on.? :-) but I don't quite believe it myself.
Neither do I. Their excuse is just that, i.e. an uninformed guess that
might sound right to an technically illiterate clientelle.
Further comments in the text below.
> Discussion Thread
>
> My firewall has been logging for some time a significant number of
> packets unrelated to either my paradise.Net connection or my internal
> network. The packets appear to be coming from a private address range
> 172.20.18.55 port 67 (Bootps) internal to telstra as a traceroute would
> indicate below. At the rate they are being received approx 10,000 per
> day I am concerned that this is adding to my usage unfairly. Can you
> please confirm if this matter is being investigated and or if a
> resolution is forth coming.
>
> traceroute to 172.20.18.55 (172.20.18.55), 30 hops max, 40 byte packets
> 1 192.168.0.254 (192.168.0.254) 0.741 ms 0.346 ms 0.359 ms
> 2 218.101.61.98 (218.101.61.98) 8.599 ms 8.293 ms 9.421 ms
> 3 218.101.61.74 (218.101.61.74) 10.547 ms 11.634 ms 11.453 ms
> 4 218.101.61.69 (218.101.61.69) 26.326 ms 23.321 ms 26.118 ms
> 5 jcore2-ge-0-2-0-927-acld.auckland.clix.net.nz (218.101.61.14) 23.840
> ms 24.353 ms 22.732 ms 6 ge-0-2-0-1.xcore1.acld.telstraclear.net
> (203.98.50.251) 23.266 ms 22.775
> ms 22.288 ms
>
> 01:40:06 INPUT eth1 UDP 172.20.18.55 67(BOOTPS) 00:03:e3:21:61:41
> 255.255.255.255 68(BOOTPC)
> 01:45:00 INPUT eth1 UDP 172.20.18.55 67(BOOTPS) 00:03:e3:21:61:41
> 255.255.255.255 68(BOOTPC)
> 01:47:46 INPUT eth1 UDP 172.20.18.55 67(BOOTPS) 00:03:e3:21:61:41
> 255.255.255.255 68(BOOTPC)
> 01:47:52 INPUT eth1 UDP 172.20.18.55 67(BOOTPS) 00:03:e3:21:61:41
> 255.255.255.255 68(BOOTPC)
>
> Response (Helpdesk)
> Thank you for contacting us.
>
> After investigating this on your behalf I have discovered that the
> packets come from our Customer Help modem interface which we use for
> diagnostics and troubleshooting. I think that in the time that you
> checked the packets, one of our technicians was pinging your internal IP
> address from here;
No! The above is incorrect, because firstly the universal broadcast address
(255.255.255.255) is being used as the target for the attempt to connect
to a BOOTP server. Thus _EVERY_ computer on the network is receiving these
packets. Secondly the traffic is BOOTP, not ICMP which is what ping uses.
For example here is the extract from my log for today:-
From 172.20.18.55 - 5301 packets
To 255.255.255.255 - 5301 packets
Service: bootpc (udp/68) (INPUT,eth1,none) - 5301 packets
I have log records for this traffic which show the activity since 26
December last. It has been reported as going on for at least 6 months.
While it is good to know that this traffic is not being charged for, it
_is_ using up a small fraction of network bandwidth overall. This degrades
the overall performance somewhat. What is more concerning is that
TelstraClear have not provided a satisfactory explanation as to the source
of, or reason for, the packets. Thus one comes to the logical conclusion
that they simply do not know what the source is. Whilst this traffic does
not really concern me personally because it is dropped by my separate
firewall, it does concern me for the sake of others less technically
sophisticated, because it appears to indicate a machine which is searching
for an unprotected port. ok, that is what BOOTP does, but if this
particular host was correctly installed it would have found its boot
information, booted itself, and be on its merry way doing what it's
supposed to be doing, but it hasn't is it?
Thus one comes to the inescapable conclusion that this traffic is nefarious
in some way.
A responsible network operator would have either provided an informed and
reasonable explanation as to the reason for this traffic, or found the
source of these suspicious packets, disconnected it, and prosecuted the
perpetrator who installed the cracking tool, hopefully both. After all it
has been months since this traffic started.
> as this is internal traffic you will not be charged for this.
>
> Should you need any further assistance, or if this does not solve your
> query, please let us know.
It does not solve the problem. The packets are still being transmitted.
> Kind Regards,
> Ruth
>
> --
> Simon Knight
>
> > > I have to admit - I sat for about five minutes last night staring at
> > > the orange Activity light on my cable modem.
> > >
> > > Not once in that ~5 mins did it go off for even a blink.
>
> Well something has changed in the last couple days.
>
> My Activity light is now blinking, rather than being solid-on for as
> long as I watch it.
>
> Anyone know anything more?
I noticed that too. I think one problem has probably been corrected, but
the BOOTP traffic is still going on.
Come on Paradise and TelstraClear!
Why have you been dragging your feet on this issue?
What's the problem?
It's just not good enough you know, we pay a premium to have what was
marketed as a secure and superior service, yet find ourselves locked into
a system apparently run by a mob of totally incompetent bumpkins.
Now, pull finger, and FIX IT!
Anybody know a competent ISP?
They've screwed up my account too.
I have paid for the modem ever since I joined, yet T/C are charging an
extra $30 this month.
--
CS
