Why BOOTPS from the Internet?

Why BOOTPS from the Internet?

am 29.04.2007 00:08:21 von Henry Hub

My firewall log keeps showing that svchost.exe (Windows XP Pro) is being

called from 10.69.48.1:67 from the internet. This is a bogus IP address.

Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless

workstations. The fire wall is blocking servers so this isn't going

through, but why would this be happening? Is this a known vunerability?

Henry Hub

Re: Why BOOTPS from the Internet?

am 29.04.2007 01:23:15 von Sebastian Gottschalk

Henry Hub wrote:

> called from 10.69.48.1:67 from the internet. This is a bogus IP address.


No, it isn't, unless you can assure that you're directly connected to a core
router through your host network. I doubt you can.

> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
> workstations.


No. Port 67/UDP is DHCP, which may also be part of the legacy BootP
protocol, but typically isn't.

> but why would this be happening?

Because someone is running a DHCP server there?

Re: Why BOOTPS from the Internet?

am 29.04.2007 08:59:12 von Anders

Sebastian G. skrev:
> Henry Hub wrote:
>
>> called from 10.69.48.1:67 from the internet. This is a bogus IP address.
>
>
> No, it isn't, unless you can assure that you're directly connected to a
> core router through your host network. I doubt you can.
>
>> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
>> workstations.
>
>
> No. Port 67/UDP is DHCP, which may also be part of the legacy BootP
> protocol, but typically isn't.
>
> > but why would this be happening?
>
> Because someone is running a DHCP server there?

Snipped from http://www.iana.org/assignments/port-numbers
......
bootps 67/tcp Bootstrap Protocol Server
bootps 67/udp Bootstrap Protocol Server
bootpc 68/tcp Bootstrap Protocol Client
bootpc 68/udp Bootstrap Protocol Client
......
dhcpv6-client 546/tcp DHCPv6 Client
dhcpv6-client 546/udp DHCPv6 Client
dhcpv6-server 547/tcp DHCPv6 Server
dhcpv6-server 547/udp DHCPv6 Server
......
dhcp-failover 647/tcp DHCP Failover
dhcp-failover 647/udp DHCP Failover
......
dhcp-failover2 847/tcp dhcp-failover 2
dhcp-failover2 847/udp dhcp-failover 2
......
So the OP is rigth in his assumption that it can be bootps

/Anders

Re: Why BOOTPS from the Internet?

am 29.04.2007 13:40:59 von Sebastian Gottschalk

Anders wrote:


>>> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless

~~

>>> workstations.
>>
>> No. Port 67/UDP is DHCP, which may also be part of the legacy BootP

~~~ ~~

>> protocol, but typically isn't.

~~~~~~~~~~~~~~~~~~~

>>
>> > but why would this be happening?
>>
>> Because someone is running a DHCP server there?
>
> Snipped from http://www.iana.org/assignments/port-numbers
> .....
> bootps 67/tcp Bootstrap Protocol Server
> bootps 67/udp Bootstrap Protocol Server
> bootpc 68/tcp Bootstrap Protocol Client
> bootpc 68/udp Bootstrap Protocol Client

> [...]
> So the OP is rigth in his assumption that it can be bootps

Read again. He didn't claim it just could be bootp, but it actually was
bootp and nothing else.

Re: Why BOOTPS from the Internet?

am 29.04.2007 19:24:05 von ibuprofin

On Sat, 28 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article , Henry Hub wrote:

>My firewall log keeps showing that svchost.exe (Windows XP Pro) is being
>called from 10.69.48.1:67 from the internet. This is a bogus IP address.

You are posting from a Cable network. For home users, these networks
ALWAYS use DHCP because the user lacks computer skills beyond turning
on the computer and clicking on some icons. If you use a network search
tool like google or yahoo, you can find a copy of RFC2131

2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
(Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396,
RFC4361) (Status: DRAFT STANDARD)

DHCP is how your computer obtains an IP address. DHCP is an extension to
BOOTP, and uses the ports that were originally assigned to BOOTP - port 68
on your end, port 67 on the server. A DHCP address is _leased_ to you,
generally for a short period (hours), and your computer needs to renew the
lease to continue using the IP it may have. These lease negotiations use
the port 67/68 pairing. If you block this, at the end of the lease period,
you loose access.

As far as the 10.69.48.1 IP address, this is an RFC1918 address to be
used _within_ a network such as the 24.150.x.x range allocated to Cogeco,
but these addresses are not valid _outside_ of "this" network . If you
exclude the address ranges listed in RFC3330 (which includes the RFC1918
ranges), there are currently some 3,706,453,504 _available_ on the
internet of which 2,469,544,460 (or 66.63 percent) are _in_use_ as of the
middle of this month. Hence, IP addresses are a valuable commodity - why
should your ISP _waste_ these addresses for systems (like the DHCP server)
that will NEVER be accessed from the outside world? This actually _adds_
some security. If your ISP has their collective heads out of their ass,
they are dropping packets with RFC3330 addresses at their perimeter in
accordance with RFC2827 and RFC3704, but in any case will be dropping
packets with a _destination_ IP address in the RFC3330 range as required
by the RFCs.

>Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
>workstations.

It's also used by DHCP - see RFC2131 above

>The fire wall is blocking servers so this isn't going through, but why
>would this be happening?

Because you are a residential customer, and haven't paid the hundreds of
dollars PER MONTH to obtain a permanent IP address directly assigned to
your system.

>Is this a known vunerability?

Yes - it allows computers to be connected to the Internet without the
user having the faintest idea of what is going on. DHCP is a fairly
significant security problem, subject to spoofing, and as a central
point of failure. See section 7 of RFC2131 which warns that the
service is quite insecure. The only reason it is used is that it allows
computers to be connected to a network (such as your ISP) without
requiring a person with a minimal skill to set up the IP address each
time, and allows such configuration to be done from a central point.

Old guy

Re: Why BOOTPS from the Internet?

am 29.04.2007 21:07:58 von Henry Hub

Moe Trin wrote:
> On Sat, 28 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
> article , Henry Hub wrote:
>
>> My firewall log keeps showing that svchost.exe (Windows XP Pro) is being
>> called from 10.69.48.1:67 from the internet. This is a bogus IP address.
>
> You are posting from a Cable network. For home users, these networks
> ALWAYS use DHCP because the user lacks computer skills beyond turning
> on the computer and clicking on some icons. If you use a network search
> tool like google or yahoo, you can find a copy of RFC2131
>
> 2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
> (Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396,
> RFC4361) (Status: DRAFT STANDARD)
>
> DHCP is how your computer obtains an IP address. DHCP is an extension to
> BOOTP, and uses the ports that were originally assigned to BOOTP - port 68
> on your end, port 67 on the server. A DHCP address is _leased_ to you,
> generally for a short period (hours), and your computer needs to renew the
> lease to continue using the IP it may have. These lease negotiations use
> the port 67/68 pairing. If you block this, at the end of the lease period,
> you loose access.
>
> As far as the 10.69.48.1 IP address, this is an RFC1918 address to be
> used _within_ a network such as the 24.150.x.x range allocated to Cogeco,
> but these addresses are not valid _outside_ of "this" network . If you
> exclude the address ranges listed in RFC3330 (which includes the RFC1918
> ranges), there are currently some 3,706,453,504 _available_ on the
> internet of which 2,469,544,460 (or 66.63 percent) are _in_use_ as of the
> middle of this month. Hence, IP addresses are a valuable commodity - why
> should your ISP _waste_ these addresses for systems (like the DHCP server)
> that will NEVER be accessed from the outside world? This actually _adds_
> some security. If your ISP has their collective heads out of their ass,
> they are dropping packets with RFC3330 addresses at their perimeter in
> accordance with RFC2827 and RFC3704, but in any case will be dropping
> packets with a _destination_ IP address in the RFC3330 range as required
> by the RFCs.
>
>> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
>> workstations.
>
> It's also used by DHCP - see RFC2131 above
>
>> The fire wall is blocking servers so this isn't going through, but why
>> would this be happening?
>
> Because you are a residential customer, and haven't paid the hundreds of
> dollars PER MONTH to obtain a permanent IP address directly assigned to
> your system.
>
>> Is this a known vunerability?
>
> Yes - it allows computers to be connected to the Internet without the
> user having the faintest idea of what is going on. DHCP is a fairly
> significant security problem, subject to spoofing, and as a central
> point of failure. See section 7 of RFC2131 which warns that the
> service is quite insecure. The only reason it is used is that it allows
> computers to be connected to a network (such as your ISP) without
> requiring a person with a minimal skill to set up the IP address each
> time, and allows such configuration to be done from a central point.
>
> Old guy

Thanks for the thorough explanation. I have a basic knowledge of DHCP,
but your info clears up a lot.

Henry Hub

Re: Why BOOTPS from the Internet?

am 30.04.2007 00:29:34 von ibuprofin

On Sun, 29 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article <836Zh.7874$WE.2541@read1.cgocable.net>, Henry Hub wrote:

>Thanks for the thorough explanation. I have a basic knowledge of DHCP,
>but your info clears up a lot.

Glad to help. I'm guessing you just increased your firewall logging
level recently, as this has been going on long before Cogeco got the
24.150.x.x range in 1999. If you look back through the archives of
this group (it gets about 10-15 thousand articles a year), you'll see
a lot of the posts are from worried users who just discovered firewall
logging, and have their firewall set to high or paranoid levels without
understanding what is normal "noise" that can (and should) be ignored.

One common misconception of the RFC1918 addresses is that they should
never appear on the Internet. These addresses are for "internal" use
where the public is not supposed to be able to get to them. But a
backbone provider will often use them for router addresses connecting
segments of their networks, and if you use 'traceroute' (or the b0rken
windoze imitation called TRACERT.EXE), you may see these addresses. This
is OK, because you have no reason to even be aware of the routers, much
less try to connect to them (the ISPs get all kinds of unhappy if you
do) - your packets merely transit these routers enroute from "here" to
"there" without any effort on your part. Thus, you NORMALLY don't know
(or care) what addresses they are using. As the public can't use them,
why waste a otherwise useful address - give it an RFC1918 address and
no one will know the difference. ;-)

Old guy