My firewall log keeps showing that svchost.exe (Windows XP Pro) is being
called from 10.69.48.1:67 from the internet. This is a bogus IP address.
Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
workstations. The fire wall is blocking servers so this isn't going
through, but why would this be happening? Is this a known vunerability?
Henry Hub
No, it isn't, unless you can assure that you're directly connected to a core router through your host network. I doubt you can.
No. Port 67/UDP is DHCP, which may also be part of the legacy BootP protocol, but typically isn't.
Because someone is running a DHCP server there?
Snipped from
/Anders
~~
~~~ ~~
~~~~~~~~~~~~~~~~~~~
Read again. He didn't claim it just could be bootp, but it actually was bootp and nothing else.
You are posting from a Cable network. For home users, these networks ALWAYS use DHCP because the user lacks computer skills beyond turning on the computer and clicking on some icons. If you use a network search tool like google or yahoo, you can find a copy of RFC2131
2131 Dynamic Host Configuration Protocol. R. Droms. March 1997. (Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396, RFC4361) (Status: DRAFT STANDARD)DHCP is how your computer obtains an IP address. DHCP is an extension to BOOTP, and uses the ports that were originally assigned to BOOTP - port 68 on your end, port 67 on the server. A DHCP address is _leased_ to you, generally for a short period (hours), and your computer needs to renew the lease to continue using the IP it may have. These lease negotiations use the port 67/68 pairing. If you block this, at the end of the lease period, you loose access.
As far as the 10.69.48.1 IP address, this is an RFC1918 address to be used _within_ a network such as the 24.150.x.x range allocated to Cogeco, but these addresses are not valid _outside_ of "this" network . If you exclude the address ranges listed in RFC3330 (which includes the RFC1918 ranges), there are currently some 3,706,453,504 _available_ on the internet of which 2,469,544,460 (or 66.63 percent) are _in_use_ as of the middle of this month. Hence, IP addresses are a valuable commodity - why should your ISP _waste_ these addresses for systems (like the DHCP server) that will NEVER be accessed from the outside world? This actually _adds_ some security. If your ISP has their collective heads out of their ass, they are dropping packets with RFC3330 addresses at their perimeter in accordance with RFC2827 and RFC3704, but in any case will be dropping packets with a _destination_ IP address in the RFC3330 range as required by the RFCs.
It's also used by DHCP - see RFC2131 above
Because you are a residential customer, and haven't paid the hundreds of dollars PER MONTH to obtain a permanent IP address directly assigned to your system.
Yes - it allows computers to be connected to the Internet without the user having the faintest idea of what is going on. DHCP is a fairly significant security problem, subject to spoofing, and as a central point of failure. See section 7 of RFC2131 which warns that the service is quite insecure. The only reason it is used is that it allows computers to be connected to a network (such as your ISP) without requiring a person with a minimal skill to set up the IP address each time, and allows such configuration to be done from a central point.
Old guy
Thanks for the thorough explanation. I have a basic knowledge of DHCP, but your info clears up a lot.
Henry Hub
Glad to help. I'm guessing you just increased your firewall logging level recently, as this has been going on long before Cogeco got the
24.150.x.x range in 1999. If you look back through the archives of this group (it gets about 10-15 thousand articles a year), you'll see a lot of the posts are from worried users who just discovered firewall logging, and have their firewall set to high or paranoid levels without understanding what is normal "noise" that can (and should) be ignored.One common misconception of the RFC1918 addresses is that they should never appear on the Internet. These addresses are for "internal" use where the public is not supposed to be able to get to them. But a backbone provider will often use them for router addresses connecting segments of their networks, and if you use 'traceroute' (or the b0rken windoze imitation called TRACERT.EXE), you may see these addresses. This is OK, because you have no reason to even be aware of the routers, much less try to connect to them (the ISPs get all kinds of unhappy if you do) - your packets merely transit these routers enroute from "here" to "there" without any effort on your part. Thus, you NORMALLY don't know (or care) what addresses they are using. As the public can't use them, why waste a otherwise useful address - give it an RFC1918 address and no one will know the difference. ;-)
Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.