[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] IP spoof? Where do I go now?

Subject: Re: [cobalt-users] IP spoof? Where do I go now?
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Sun Mar 18 07:59:42 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Dan,

> For the past two weeks someone using IP Address 192.168.0.1 has been
> portscanning me on various ports.
<snipped>
> Now what do I do - the IP is being blocked by Portsentry & IPchains but I
> notice I got this from my logcheck just now:
>
> Mar 18 14:29:27 kernel: Packet log: input DENY eth0 PROTO=17
192.168.0.1:67
> 255.255.255.255:68 L=328 S=0x00 I=21004 F=0x0000 T=128 (#1)
<more snipped>
> Many thanks for any light anyone can shed on this!

You may be barking up the wrong tree here :-)

Are the hits always on port 67 and/or 68?

The IP adress 192.168.0.1 is typically used on a intranet. For a description
of bootp look here (this applies to port 67 and port 68):
http://www.netice.com/advice/Exploits/Ports/68/default.htm

I would think it more likely that it's a PC looking for a DHCP server and
tripping your firewall. As IANA recommended to you, you should consult the
ISP that your server is plugged into as they'll be able to tell you if this
is the case or whether someone is genuinely spoofing the IP headers.

Regards,
Jonathan Michaelson

References:
- [cobalt-users] IP spoof? Where do I go now?
  - From: Dan

Prev by Date: [cobalt-users] SWATCH: The Simple WATCHer
Next by Date: [cobalt-users] sXid security tool
Previous by thread: Re: [cobalt-users] IP spoof? Where do I go now?
Next by thread: Re: [cobalt-users] IP spoof? Where do I go now?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index