You are not logged in.
- Topics: Active | Unanswered
#1 2009-03-10 03:39:14
- windowbreaker
- Member
- Registered: 2008-06-18
- Posts: 46
How are broadcast IP packets reaching my inet interface?
I was inspecting my iptables log, and noticed a large amount of packets with a broadcast destination ip address (255.255.255.255). Here is a sample log entry:
Mar 9 20:21:10 router kernel: INPUT_OUTSIDE_DROP: IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:5e:3b:6b:81:08:00 SRC=172.16.4.1 DST=255.255.255.255 LEN=333 TOS=0x00 PREC=0x00 TTL=255 ID=12382 PROTO=UDP SPT=67 DPT=68 LEN=313These were dropped of course, but how do they get past routers and to my external NIC? Are routers not supposed to block broadcast packets such as these.
My current theory is that these packets are originating at one of my ISP's other clients utilizing the same router as me. That black-hatter is specifying a broadcast MAC address and spoofing his IP hoping to get past a non-stateful firewall with a simple ruleset.
However, I'm curious as to what type of packet crafting can get this packet to route from the Internet all the way to my NIC. If any network guru's can enlighten me as to how these packets are reaching my NIC I'd appreciate it.
Offline
#2 2009-03-10 17:44:41
- byte
- Member
- From: Düsseldorf (DE)
- Registered: 2006-05-01
- Posts: 2,046
Re: How are broadcast IP packets reaching my inet interface?
> Are routers not supposed to block broadcast packets such as these.
"Supposed" is the keyword here.
1000
Offline
#3 2009-03-10 22:24:48
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: How are broadcast IP packets reaching my inet interface?
Is your LAN in the 172.16.4.x range?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#4 2009-03-11 05:30:32
- windowbreaker
- Member
- Registered: 2008-06-18
- Posts: 46
Re: How are broadcast IP packets reaching my inet interface?
Is your LAN in the 172.16.4.x range?
Nope. But the fact that the source address is a private LAN address is what makes me suspect that it's spoofed. That and the broadcast MAC address in the packet. This does not appear to be a packet a router would forward, leading me to believe that it's coming from someone behind the same ISP router which I am sitting behind.
But I'm curious as to others' opinions as to how this packet could be reaching my NIC.
Offline
#5 2009-03-11 06:59:42
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: How are broadcast IP packets reaching my inet interface?
that looks like a dhcp server discovery-reply packet. src port 68, dest port 67, to the broadcast ip.
if you are on a cable modem network (docsis), you will see alot of broadcast traffic from your local loop. Mostly from misconfigured devices, or from a computer that was on a private network but then plugged into the router (sending out dhcp discovery packets to try and renew an ip). It could also be someone who plugged in their linksys backwards (lulz) with their modem in bridge mode or something.
Last edited by cactus (2009-03-11 07:05:41)
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#6 2009-03-11 13:59:41
- toxygen
- Member
- Registered: 2008-08-22
- Posts: 713
Re: How are broadcast IP packets reaching my inet interface?
my router (d1-624) under tools -> misc has settings for discarding ping, multicast, and other random wan-side broadcasts (kind of like iptables i think), so there's probably a setting you need to change on your router.
"I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here:
Why oh why didn't I take the BLUE pill?"
Offline