RE: [ILUG] Broadcast packets keeping pppd alive

From: Dermot Buckley (derbuck at domain eircom.net)
Date: Tue 15 May 2001 - 13:19:54 IST

• Next message: Patton, Tony: "RE: [ILUG] Sharing a server from two domains"
• Previous message: kevin lyda: "Re: [ILUG] Sharing a server from two domains"
• In reply to: Niall O Broin: "Re: [ILUG] Broadcast packets keeping pppd alive"
• Next in thread: Chris Higgins: "Re: [ILUG] Broadcast packets keeping pppd alive"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Thanks all,

It occurred to me that this might be a hacker's attempt to get at the
routing table (this box also dials into customer sites so this is a serious
security concern) - does anyone know if this is likely/possible?

I like Niall's idea about disconnecting it from the lan (it may be trying to
communicate with the pdc or something) - will do this when next I can. I
really don't think it's Netbios related though (89 is a protocol - Open
Shortest Path First IGP - from /etc/protocols).

Updates after lunch...

-----Original Message-----
From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of Niall
O Broin
Sent: 15 May 2001 12:29 pm
To: ilug at domain linux.ie
Subject: Re: [ILUG] Broadcast packets keeping pppd alive

On Tue, May 15, 2001 at 12:00:10PM +0100, Ken Guest wrote:

> > I did a little checking and it appears that broadcast packets from the
isp
> > are keeping the connection alive. The logs are full of these, one every
> > 10secs:
> >
> > May 14 15:03:00 setanta kernel: Packet log: input - ppp0 PROTO=89
> > 194.125.144.69:65535 224.0.0.5:65535 L=64 S=0xC0 I=52990 F=0x0000 T=1
(#29)
> >
> > I gather these are to do with routing table updates, so I killed routed
and
> > restarted the connection but we're still getting the broadcasts.
> >
> > Does anyone have any idea what triggers these broadcasts? I'm at a dead
end
> > here so all help appreciated.
> >
>
> IIRC it's SMB and Netbios packets as sent out from Windows PCs so you
> may want to filter out against the appropriate ports.

Why on earth would your ISP be SENDING Netbios (and protocol 89 (137
decimal) is Netbios, not routing table updates) packets to you, I wonder ?
If these packets are incoming from the ISP then filtering won't help,
because they've been received by the ISDN transport layer (at which stage
the timeout gets restarted) before they get near your filter. I think it's
time to call your ISP and get to talk to somebody clueful (probably NOT the
first person who answers the phone) and tell them to stop the hell sending
you those packets.

Mind you, it is very curious that everything was working fine before you had
the reboot. One other thing to check - if you disconnect your gateway box
from your internal LAN, and fire up the connection, does this still happen ?
I'm wondering if perhaps there's something one of your internal 'doze boxes
is doing which is causing these.

Regards,

Niall

--
Irish Linux Users' Group: ilug at domain linux.ie
http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at domain linux.ie

• Next message: Patton, Tony: "RE: [ILUG] Sharing a server from two domains"
• Previous message: kevin lyda: "Re: [ILUG] Sharing a server from two domains"
• In reply to: Niall O Broin: "Re: [ILUG] Broadcast packets keeping pppd alive"
• Next in thread: Chris Higgins: "Re: [ILUG] Broadcast packets keeping pppd alive"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:18 GMT