[CS-FSLUG] Net-bios/file-sharing "attack"
Stephen J. McCracken
smccracken at hcjb.org
Wed Oct 12 23:52:46 CDT 2005
Ed Hurst wrote:
> Stephen J. McCracken wrote:
>
>
>>>Oct 11 22:24:40 crunch kernel: ipfw: 900 Deny UDP 192.168.1.64:138
>>>192.168.1.255:138 in via rl0
>>>Oct 12 07:59:36 crunch kernel: ipfw: 900 Deny UDP 192.168.1.64:68
>>>255.255.255.255:67 in via rl0
>>
>>Ports 67 & 68 are for DHCP and therefore need to be broadcast much
>>"wider" as it can't know the network it's on before receiving its ip
>>address.
>
>
> Okay, but why the high frequency? It's had the same IP address for the
> past two days, and the queries are repeated at least every 15 minutes,
> and often several times in rapid succession.
My guess is one of two things or a combination. 1) The length of time
the lease is valid is set by the DHCP server. If it sets a short time,
then the machine will query to see if it needs to change the ip address
or not each end-of-lease time. 2) If a firewall or something is
blocking the queries, the machine will continue to try to communicate
with the DHCP server until it can get a valid response. It will keep
the prior ip address until it hears otherwise.
sjm
More information about the Christiansource
mailing list