Re: Strange Happenings @Home

[mtinberg () MADISON TEC WI US (Mark Tinberg)]

Well bootp is a subset of DHCP (it is the protocol DHCP is based on).  Check to see where the bootp traffic is comming 
from, on my DSL line I have to allow DHCP replies from my ISPs DHCP server so that my address lease can be renewed.  
The traffic on the high ports and the traffic for/from the private class-C network are almost certainly misconfigured 
machines.  Unfortunately cable modems are just like 10Base2 Ethernet, they are a shared resource, you are going to 
receive internal and broadcast traffic from any improperly secured home networks connected to your cable loop.

To reduce the size of your logs, you could rotate and compress them more frequently. Iif this is still a problem, it 
might be wise to not log every unauthorized packet you recieve.  If you are confident that you don't need the warning 
you should be able to get away with not logging traffic from the private class a-e networks, as long as you are sure 
you are denying everything.

I just did a presentation on IPChains for home use for my local LUG, if you are interested it is at:

http://www.madisonlinux.org/minutes/index.html

> > > Fred Hirsch <fhirsch () TSE COM> 06/01/00 01:02 AM >>>
I run a Linux IP-masqueraded firewall for a small home network from within
the
@Home domain. This same system hosts my small consulting web site as well.
I recently moved from one @Home provider (Shaw-Canada) to another
(Rogers-Canada). Once I got my firewall system up and running, I was
receiving
hundreds of denyable packets. Within 4 days, my firewall logs were 90MB.

While I know that networking is not my forte, I do know how to read the
packet logs,
and I was lead to believe that someone is either running some badly
implemented
or configured software or that something harmful was actuallyoriginating
from
within the subnet.

> From what I can tell, many of these denied packets are on ports 67 and 68,
which
according to my /etc/services is bootp. Is there a reason why someone would
run
a bootp server on an @Home network? Additionally, I receive a number of
high
level port hits from many anonymous IP's. Do game servers such as Quake
browse
around through subnets looking for replies? Because this seems to be the
activity
I am seeing. I do not see any typical ports for BO or other Windows based
subversions.
Many of the IP's floating in my logs are not in the @Home subnet which I
belong to.
I also see alot of local network IP's like 192.168.x.x trying to hit the
firewall as well.

Could this be a badly configured system somewhere else on my subnet, or is
it
possible that something more nefarious is going on. I can probably put up a
sample
of some of the log entries as well.

Thanks for