From owner-freebsd-questions Fri Jul 27 18:13:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp-2.enteract.com (smtp-2.enteract.com [207.229.143.4]) by hub.freebsd.org (Postfix) with ESMTP id CEF3337B403 for ; Fri, 27 Jul 2001 18:13:42 -0700 (PDT) (envelope-from jtm@enteract.com) Received: from jamestown.21stcentury.net (24-148-57-120.na.21stcentury.net [24.148.57.120]) by smtp-2.enteract.com (Postfix) with ESMTP id 800A4825D for ; Fri, 27 Jul 2001 20:13:40 -0500 (CDT) Received: (from jtm@localhost) by jamestown.21stcentury.net (8.11.3/8.11.3) id f6S1D5e45528; Fri, 27 Jul 2001 20:13:06 -0500 (CDT) (envelope-from jtm) Date: Fri, 27 Jul 2001 20:13:06 -0500 (CDT) Message-Id: <200107280113.f6S1D5e45528@jamestown.21stcentury.net> From: James McNaughton To: freebsd-questions@freebsd.org Subject: dhclient: Odd errors - New exploit? Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, I noticed an odd error on the console from arp and in tracking down the source discovered it was related to DHCP and dhclient. I found a bunch of errors logged from dhclient as follows: Jul 24 09:30:49 jamestown dhclient: New IP Address(ep0): 192.168.100.18 Jul 24 09:30:49 jamestown dhclient: New Subnet Mask (ep0): 255.255.255.192 Jul 24 09:30:49 jamestown dhclient: New Broadcast Address(ep0): 192.168.100.63 Jul 24 09:30:49 jamestown dhclient: New Routers: 192.168.100.1 Jul 24 09:30:55 jamestown dhclient: send_packet: Permission denied Jul 24 09:31:02 jamestown dhclient: New IP Address(ep0): 192.168.100.18 Jul 24 09:31:02 jamestown dhclient: New Subnet Mask (ep0): 255.255.255.192 Jul 24 09:31:02 jamestown dhclient: New Broadcast Address(ep0): 192.168.100.63 Jul 24 09:31:02 jamestown dhclient: New Routers: 192.168.100.1 Jul 24 09:31:07 jamestown dhclient: send_packet: Permission denied Jul 24 09:31:17 jamestown dhclient: send_packet: Permission denied The IP address is on my outside (ISP) interface. The IP numbers are, of course, bogus. After four such events in as many minutes, dhclient reconfigured the interface to a proper IP on my ISP's subnet. It appears to me that someone was trying to get dhclient to use a bogus IP for some uknown reason and that ipfw rules blocked the attempt. Has anyone seen this before? I searched the mailing list archives and found no mention of similar phenomenon. Could this be a new exploit aimed at routing packets through a hostile machine for further examination, or did someone on the same cable segment pull a major boner? Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message