From owner-freebsd-questions Thu Apr 25 9:58:23 2002 Delivered-To: freebsd-questions@freebsd.org Received: from gamma.root-servers.ch (gamma.root-servers.ch [195.49.62.126]) by hub.freebsd.org (Postfix) with SMTP id 36CE337B436 for ; Thu, 25 Apr 2002 09:56:23 -0700 (PDT) Received: (qmail 62453 invoked from network); 25 Apr 2002 16:56:21 -0000 Received: from dclient217-162-131-134.hispeed.ch (HELO athlon550) (217.162.131.134) by 0 with SMTP; 25 Apr 2002 16:56:21 -0000 Date: Wed, 24 Apr 2002 15:02:35 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.60c) Educational Reply-To: gabriel_ambuehl@buz.ch Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <1965488492.20020424150235@buz.ch> To: questions@freebsd.org Subject: dhclient going crazy... MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hello, I'd very much like to hear explanations for the following incident which left me with a blocked cable modem (and thus complete lack of broadband and high telephone bills because of all the support calls this required, nice, uuh) as the ISP feels I've been running DoS attacks against its DHCP servers: Apr 22 19:02:45 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:02:45 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:02:45 delta dhclient: New IP Address (rl0): 217.162.129.1 Apr 22 19:02:45 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:02:45 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:02:45 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:05:22 delta /kernel: arp: 217.162.128.1 moved from 00:30:94:06:12:a8 to 00:30:94:06:12:54 on rl0 Apr 22 19:08:11 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:08:11 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:08:11 delta dhclient: New IP Address (rl0): 217.162.130.62 Apr 22 19:08:11 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:08:11 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:08:12 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:08:12 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:08:12 delta dhclient: New IP Address (rl0): 217.162.130.144 Apr 22 19:08:12 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:08:12 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:08:12 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:08:12 delta dhclient: New IP Address (rl0): 217.162.130.157 Apr 22 19:08:12 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:08:12 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:08:12 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:08:12 delta dhclient: New IP Address (rl0): 217.162.130.163 Apr 22 19:08:12 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:08:12 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:08:12 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:17:19 delta /kernel: arp: 217.162.128.1 moved from 00:30:94:06:12:a8 to 00:30:94:06:12:54 on rl0 Apr 22 19:28:24 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:28:24 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:28:24 delta dhclient: New IP Address (rl0): 217.162.131.219 Apr 22 19:28:24 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:28:24 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:28:24 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:30:13 delta /kernel: arp: 217.162.128.1 moved from 00:30:94:06:12:a8 to 00:30:94:06:12:54 on rl0 Apr 22 19:35:41 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:35:41 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:35:41 delta dhclient: New IP Address (rl0): 217.162.130.247 Apr 22 19:35:41 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:35:41 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:35:41 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:35:41 delta dhclient: New Network Number: 217.162.128.0 Apr 22 19:35:41 delta dhclient: New Broadcast Address: 255.255.255.255 Apr 22 19:35:41 delta dhclient: New IP Address (rl0): 217.162.130.248 Apr 22 19:35:41 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 Apr 22 19:35:41 delta dhclient: New Broadcast Address (rl0): 255.255.255.255 Apr 22 19:35:41 delta dhclient: New Routers: 217.162.128.1 Apr 22 19:35:41 delta dhclient: New Network Number: 217.162.128.0 This went one for some more minutes, then stopped and restarted about one hour later, went on for about ten minuted and stopped, the whole cycle was repeated for several hours from 17:00 to 23:XX. What is happening here? And how can I prevent it from happening again? The ISP suggests I was running some MAC address faking script that would continously regenerate MAC addresses which I sure as hell didn't and I'm 99.9% sure that the box didn't got cracked, but the other interface in it (its primary job is running ipnat for the LAN behind it) (dc0) was experiencing weird problem (watchdog timeouts...). TIA & Best regards, Gabriel -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBPMae38Za2WpymlDxAQFUFgf/VDMD9mVCpuqTL8aWkCw+ArA9mAMFC6de oXP4QfsKY/TDsJo5MlXrK1k78UCvyrv8IccX+MAmlA4n6/+2NiO5bJl2mwu31nWL 2dP+tcwKkbrUaxqEEXD2wYtvAqGACvjI6oRhmLsXkGQQTA6JLbEflEEAmchQZA05 1dyfIxGCzuG2HHDPd0nypskgPrc1m8B2Xj2OyfXmNxge1pdtM6LvFyfPpSuXoTbM WjW0z0dOYvweKkkmLVQGYmA6PsPzhRUeRYkTd/HaBdreBVI9yebvGqCX3oiPW9GZ yTiJ7UkfKx8n1A4Nop1YS6d8SuIWBTZ4PLnzJr/J2vdrKnFsCX04ig== =3mtS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message