Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Jul 2001 20:13:06 -0500 (CDT)
From:      James McNaughton <jtm63@enteract.com>
To:        freebsd-questions@freebsd.org
Subject:   dhclient: Odd errors - New exploit?
Message-ID:  <200107280113.f6S1D5e45528@jamestown.21stcentury.net>
next in thread | raw e-mail | index | archive | help 
Howdy,

I noticed an odd error on the console from arp and in tracking down
the source discovered it was related to DHCP and dhclient. I found a
bunch of errors logged from dhclient as follows:

Jul 24 09:30:49 jamestown dhclient: New IP Address(ep0): 192.168.100.18
Jul 24 09:30:49 jamestown dhclient: New Subnet Mask (ep0): 255.255.255.192
Jul 24 09:30:49 jamestown dhclient: New Broadcast Address(ep0): 192.168.100.63
Jul 24 09:30:49 jamestown dhclient: New Routers: 192.168.100.1
Jul 24 09:30:55 jamestown dhclient: send_packet: Permission denied
Jul 24 09:31:02 jamestown dhclient: New IP Address(ep0): 192.168.100.18
Jul 24 09:31:02 jamestown dhclient: New Subnet Mask (ep0): 255.255.255.192
Jul 24 09:31:02 jamestown dhclient: New Broadcast Address(ep0): 192.168.100.63
Jul 24 09:31:02 jamestown dhclient: New Routers: 192.168.100.1
Jul 24 09:31:07 jamestown dhclient: send_packet: Permission denied
Jul 24 09:31:17 jamestown dhclient: send_packet: Permission denied
<snip>

The IP address is on my outside (ISP) interface. The IP numbers are,
of course, bogus. After four such events in as many minutes, dhclient
reconfigured the interface to a proper IP on my ISP's subnet.

It appears to me that someone was trying to get dhclient to use a
bogus IP for some uknown reason and that ipfw rules blocked the
attempt.

Has anyone seen this before? I searched the mailing list archives and
found no mention of similar phenomenon. Could this be a new exploit
aimed at routing packets through a hostile machine for further
examination, or did someone on the same cable segment pull a major
boner?

Jim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107280113.f6S1D5e45528>