Security problem?

[Chris L. Mason]

Hi,

I keep seeing lines like this showing up on my console and in the logs:

arp: attempt to overwrite entry for 10.1.1.2 on de0 by xx:xx:xx:xx:xx:xx on ne0

The 10.1.1.0/24 network is my internal network. 10.1.1.1 is my firewall
and 10.1.1.2 is a desktop Linux system. de0 is the interface to the
internal network and ne0 is the interface connected to the Internet via a
cable modem.

So, is this some kind of attack, or just the result of other home users
with misconfigured systems that are leaking internal address? Note that
I'm using ipf with very strict rules, and a default deny policy.

Thanks,

Chris

[Luke Bakken]

Try 'arping' in the ports collection on the offending MAC address and see
what shows up.

Or, try pinging the outside network using your external card's IP like so
to see if someone else on your net is doing something funky:

ping -I <external IP> 10.1.1.2

Good luck

[Chris L. Mason]

On Thu, Oct 05, 2000 at 08:23:07AM -0700, Luke Bakken wrote:
> Try 'arping' in the ports collection on the offending MAC address and see
> what shows up.
>

Yup, that's it. There's someone on the local @home network using 10.1.1.2
as their public address. Even worse is the fact that not only do I get a
response from their MAC, but the @home gateway router on .1 also responds!

Does this mean the @home router is misconfigured? If so I will send them a
message and ask them to stop routing private addresses!

Chris

[Laurence Moore]

On Thu, 5 Oct 2000, Chris L. Mason wrote:

>
> Hi,
>
> I keep seeing lines like this showing up on my console and in the logs:
>
> arp: attempt to overwrite entry for 10.1.1.2 on de0 by xx:xx:xx:xx:xx:xx on ne0
>
> The 10.1.1.0/24 network is my internal network. 10.1.1.1 is my firewall
> and 10.1.1.2 is a desktop Linux system. de0 is the interface to the
> internal network and ne0 is the interface connected to the Internet via a
> cable modem.
>

If you have ipmon running you should be getting output from ipf, providing
you are using "log" in the rules. What is in the logs that is being
blocked from ipf.

Is xx:xx:xx:xx:xx:xx the MAC address of the de0 or ne0 interface?

Could it be that an arp request is being sent down ne0 for 10.1.1.2?

Using tcpdump may help to see what is passing on your ne0 interface.

IP-Filter should be able to be configured to block the 10.1.1.x entering
on interface ne0.
What have you got in ipf.rules and ipnat.rules?

Cheers,

Larry.

[Chris L. Mason]

On Thu, Oct 05, 2000 at 11:48:37PM +0800, Laurence Moore wrote:
>
...

>
> If you have ipmon running you should be getting output from ipf, providing
> you are using "log" in the rules. What is in the logs that is being
> blocked from ipf.
>
> Is xx:xx:xx:xx:xx:xx the MAC address of the de0 or ne0 interface?

Neither, it's not one of mine.

> Could it be that an arp request is being sent down ne0 for 10.1.1.2?
>
> Using tcpdump may help to see what is passing on your ne0 interface.
>
> IP-Filter should be able to be configured to block the 10.1.1.x entering
> on interface ne0.
> What have you got in ipf.rules and ipnat.rules?
>

Hi,

I have:

block in quick on ne0 from 10.0.0.0/8 to any

ne0 has a public address of 24.112.240.236 (might as well disclose it as
it's in the mail header anyway.)

Btw, I'm running snort with a full rule-list and it doesn't show anything.

I think the problem is just what Luke suggested. Some else has a
misconfigured system.

Chris

[Darik Horn]

In my area, the @Home guys internally use addresses in the 10.x.x.x range.

For example, if I traceroute on the @Home network between Brantford and
Waterloo in Ontario then all of the hops have addresses in 10.x.x.x except
the target. I would not ban traffic coming from those addresses because
some of it will be legitimate.

eg:

1 10.18.0.1 1.848 ms 1.808 ms 9.682 ms
2 10.0.184.25 3.181 ms 5.611 ms 3.161 ms
3 10.0.184.130 3.785 ms 3.369 ms 9.434 ms
4 10.0.184.14 6.759 ms 4.723 ms 4.631 ms
5 24.112.101.192 6.702 ms 6.67 ms 6.426 ms

[]

On Thu, 5 Oct 2000, Chris L. Mason wrote:

[Chris L. Mason]

On Thu, Oct 05, 2000 at 12:05:49PM -0400, Darik Horn wrote:
>
> In my area, the @Home guys internally use addresses in the 10.x.x.x range.
>
> For example, if I traceroute on the @Home network between Brantford and
> Waterloo in Ontario then all of the hops have addresses in 10.x.x.x except
> the target. I would not ban traffic coming from those addresses because
> some of it will be legitimate.
>
> eg:
>
> 1 10.18.0.1 1.848 ms 1.808 ms 9.682 ms
> 2 10.0.184.25 3.181 ms 5.611 ms 3.161 ms
> 3 10.0.184.130 3.785 ms 3.369 ms 9.434 ms
> 4 10.0.184.14 6.759 ms 4.723 ms 4.631 ms
> 5 24.112.101.192 6.702 ms 6.67 ms 6.426 ms
>

Yeah, I know, I wish they wouldn't do that. However, I *do* block all
10.0.0.0/8 addresses, and it's not a problem because anyone connecting to
me doesn't have a 10.x.x.x source address. The fact that they route
through them at some point doesn't cause a problem because ipf (or the
applications) never see this. I've been running this way for months with
no problem.

The only thing this stops is @home technicians from connecting to my system
if they're trying stuff when logged in to those routers, and that doesn't
really concern me. :)

Chris
(Btw, when is @home going to start assigning IPv6 addresses? I want one!)

[Michael Grice]

* Darik Horn <da...@gulf.waterways.geeky.net> [001005 12:19] wrote:
>
> > you should never see packets originating from any of these addresses
> > since they're just gateways.
>
> Perhaps, but the regional dhcp/bootp server lives on a 10.x.x.x address so
> I see a lot of junk go flying around those addresses. I also get scanned
> from @Home machines in 10.x.x.x, but it doesn't seem malicious.

One of my colleagues subscribes to some cable service or another.
Apparently they do some port-scanning to verify that you aren't running
various services (http, smtp), since that's verboten unless you upgrade
to the business plan.
--Michael

[henning...@bsmail.de]

NO!
You really SHOULD ban traffic from these IPs on your external IF, it is
non-routable space. Every traffic going to the Internet from those
Addresses has to be NATed.
------------------------------------------------------------
Henning Brauer | Hostmaster BSWS
BS Web Services | www.bsws.de
Roedingsmarkt 14 | hostm...@bsws.de
20459 Hamburg
Germany

Darik Horn
<da...@gulf.waterways. To: mi...@openbsd.org
geeky.net> cc:
Sent by: Subject: Re: Security problem?
owner...@openbsd.org


05.10.2000 18:05

In my area, the @Home guys internally use addresses in the 10.x.x.x range.

For example, if I traceroute on the @Home network between Brantford and
Waterloo in Ontario then all of the hops have addresses in 10.x.x.x except
the target. I would not ban traffic coming from those addresses because
some of it will be legitimate.

eg:

1 10.18.0.1 1.848 ms 1.808 ms 9.682 ms
2 10.0.184.25 3.181 ms 5.611 ms 3.161 ms
3 10.0.184.130 3.785 ms 3.369 ms 9.434 ms
4 10.0.184.14 6.759 ms 4.723 ms 4.631 ms
5 24.112.101.192 6.702 ms 6.67 ms 6.426 ms

[]

[Chris L. Mason]

So, blocking those addresses may have the side effect of hiding those
services from the provider? That's a feature not a bug! :)

Chris

[dreamwvr]

hi,
from observations what they appear to be paranoid about really
is nntp servers as they are huge bw hogs..

On Thu, 05 Oct 2000, Michael Grice wrote:
> * Darik Horn <da...@gulf.waterways.geeky.net> [001005 12:19] wrote:
> >
> > > you should never see packets originating from any of these addresses
> > > since they're just gateways.
> >
> > Perhaps, but the regional dhcp/bootp server lives on a 10.x.x.x address so
> > I see a lot of junk go flying around those addresses. I also get scanned
> > from @Home machines in 10.x.x.x, but it doesn't seem malicious.
>
> One of my colleagues subscribes to some cable service or another.
> Apparently they do some port-scanning to verify that you aren't running
> various services (http, smtp), since that's verboten unless you upgrade
> to the business plan.

> --Michael