BOOTP Packets from Internet?

I was surprised to see these BOOTP packets coming in from the internet. My red0 is connected to a cable modem. Would these packets be coming from my cable internet service provider? Or from the cable modem itself? Or from some malicious node using my cable company’s network? Or is this something to be expected? Any thoughts?

Mar 19 01:24:19 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 01:24:21 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 01:26:05 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 01:26:07 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 02:04:19 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 02:04:21 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 02:06:07 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 02:06:09 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 04:17:21 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 04:17:23 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 06:54:35 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 06:54:37 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:03:19 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:03:21 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:33:30 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:33:32 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:38:32 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:38:34 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:42:17 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:42:19 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:45:17 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:45:19 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:57:00 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 07:57:02 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.73.96.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361

[Edit: Updated with full log lines from /var/log/messages]

Does no one have any thoughts on the origin of these BOOTP packets?

How is your Internet Connection Setup (IPFire) to your cable modem/router?

My red0 is connected to a cable modem

Hehe i already thought that :wink: I mean how? static, dhcp or PPPoE?

This is my home system – using DHCP

First i dont know the maybe special conditions in your country nor the exactly network settings from you but i can tell you how this looks like for me.

I hoped that you answer with dhcp because for me it looks like a internal dhcp broadcast from your modem. Is it possible for you that you can configure IPFire for static and disable dhcp at your modem? only to look if anything change?

I took a stab at making the red0 static – using settings I got from DHCP. But I wouldn’t know how to tell the cable modem to not do DHCP. I’ll leave it this way until cable company changes my IP Addr – and monitor my logs

Hmm, that didn’t seem to help – just got a few more:

Mar 19 13:12:49 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361
Mar 19 13:12:51 ipfire kernel: DROP_BOGON_FULLIN=red0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:77:46:46:08:00 SRC=10.78.64.1 DST=255.255.255.255 LEN=381 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=361

Hi, can you post the output of ifconfig … (mask the red0 ip)

Here ya go:

red0  Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
      inet addr:xx.xx.xxx.xxx  Bcast:255.255.255.255  Mask:255.255.192.0
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:17272462 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3818996 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:14956427714 (14263.5 Mb)  TX bytes:371362316 (354.1 Mb)
      Interrupt:20 Memory:e6e00000-e6e20000

your Bcast address seems strange, mine has xx.xx.xx.255 where xx.xx.xx are the 3 octets I get from my cable modem (my ISP is COX).

This is provisioned by Spectrum / Time Warner Cable / Road Runner

Can you record those packets with tcpdump, for example?
I suspect these are requests from the CMTS of your provider. The modem should filter these, but my experience is, this is not always true. :frowning:

I’ll give it a shot – it may take a while before I get the next batch of bootp packets.

The thing that peaked my interest, was that these packets were from non-routed ip addresses – SRC=10.78.64.1 and SRC=10.73.96.1 – and these are not addresses that I use on my network.

These IPs may be addresses inside the DOCSIS net of CMTS and CMs ( modems ).

The modem’s web craft/config interface uses a 192.168.x.x address – but perhaps it has it’s on private internal network(s) for SRC=10.78.64.1 and SRC=10.73.96.1

I have noticed bootp / (dhcp) packets coming from the ISP gateway address – that didn’t surprise or disturb me

The tcpdump is still logging to a file for DST Port 68. So far I see only local ones from my ipfire DHCP server.

Hmm, I see some of the suspect packets being dropped by the timfprogs blocklist (DROP_BOGON_FULL). but these are not showing in the tcpdump file. I’m going to disable to blocklist for DROP_BOGON_FULL and start tcpdump again. Is there something I need to do with a firewall rule in order to get these would-be-dropped packets – is the packet filter going to drop these before they make it to tcpdump?

[Edit] D’oh! I hadn’t specified interface and tcpdump defaulted to blue0

Okay, here’s the tcpdump output:

reading from file capture_file, link-type EN10MB (Ethernet)
19:08:02.792590 IP 10.78.64.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353
19:08:04.861122 IP 10.78.64.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353
19:11:01.480674 IP 10.73.96.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353
19:11:03.543078 IP 10.73.96.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353
19:12:04.221175 IP 10.78.64.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353
19:12:06.305507 IP 10.78.64.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 353