Why BOOTPS from the Internet? - Firewalls

This is a discussion on Why BOOTPS from the Internet? - Firewalls ; My firewall log keeps showing that svchost.exe (Windows XP Pro) is being called from 10.69.48.1:67 from the internet. This is a bogus IP address. Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless workstations. The fire wall ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Why BOOTPS from the Internet?

  1. Why BOOTPS from the Internet?

    My firewall log keeps showing that svchost.exe (Windows XP Pro) is being

    called from 10.69.48.1:67 from the internet. This is a bogus IP address.

    Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless

    workstations. The fire wall is blocking servers so this isn't going

    through, but why would this be happening? Is this a known vunerability?

    Henry Hub

  2. Re: Why BOOTPS from the Internet?

    Henry Hub wrote:

    > called from 10.69.48.1:67 from the internet. This is a bogus IP address.



    No, it isn't, unless you can assure that you're directly connected to a core
    router through your host network. I doubt you can.

    > Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
    > workstations.



    No. Port 67/UDP is DHCP, which may also be part of the legacy BootP
    protocol, but typically isn't.

    > but why would this be happening?


    Because someone is running a DHCP server there?

  3. Re: Why BOOTPS from the Internet?

    Sebastian G. skrev:
    > Henry Hub wrote:
    >
    >> called from 10.69.48.1:67 from the internet. This is a bogus IP address.

    >
    >
    > No, it isn't, unless you can assure that you're directly connected to a
    > core router through your host network. I doubt you can.
    >
    >> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
    >> workstations.

    >
    >
    > No. Port 67/UDP is DHCP, which may also be part of the legacy BootP
    > protocol, but typically isn't.
    >
    > > but why would this be happening?

    >
    > Because someone is running a DHCP server there?


    Snipped from http://www.iana.org/assignments/port-numbers
    ......
    bootps 67/tcp Bootstrap Protocol Server
    bootps 67/udp Bootstrap Protocol Server
    bootpc 68/tcp Bootstrap Protocol Client
    bootpc 68/udp Bootstrap Protocol Client
    ......
    dhcpv6-client 546/tcp DHCPv6 Client
    dhcpv6-client 546/udp DHCPv6 Client
    dhcpv6-server 547/tcp DHCPv6 Server
    dhcpv6-server 547/udp DHCPv6 Server
    ......
    dhcp-failover 647/tcp DHCP Failover
    dhcp-failover 647/udp DHCP Failover
    ......
    dhcp-failover2 847/tcp dhcp-failover 2
    dhcp-failover2 847/udp dhcp-failover 2
    ......
    So the OP is rigth in his assumption that it can be bootps

    /Anders

  4. Re: Why BOOTPS from the Internet?

    Anders wrote:


    >>> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless


    ~~

    >>> workstations.

    >>
    >> No. Port 67/UDP is DHCP, which may also be part of the legacy BootP


    ~~~ ~~

    >> protocol, but typically isn't.


    ~~~~~~~~~~~~~~~~~~~

    >>
    >> > but why would this be happening?

    >>
    >> Because someone is running a DHCP server there?

    >
    > Snipped from http://www.iana.org/assignments/port-numbers
    > .....
    > bootps 67/tcp Bootstrap Protocol Server
    > bootps 67/udp Bootstrap Protocol Server
    > bootpc 68/tcp Bootstrap Protocol Client
    > bootpc 68/udp Bootstrap Protocol Client


    > [...]
    > So the OP is rigth in his assumption that it can be bootps


    Read again. He didn't claim it just could be bootp, but it actually was
    bootp and nothing else.

  5. Re: Why BOOTPS from the Internet?

    On Sat, 28 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
    article , Henry Hub wrote:

    >My firewall log keeps showing that svchost.exe (Windows XP Pro) is being
    >called from 10.69.48.1:67 from the internet. This is a bogus IP address.


    You are posting from a Cable network. For home users, these networks
    ALWAYS use DHCP because the user lacks computer skills beyond turning
    on the computer and clicking on some icons. If you use a network search
    tool like google or yahoo, you can find a copy of RFC2131

    2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
    (Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396,
    RFC4361) (Status: DRAFT STANDARD)

    DHCP is how your computer obtains an IP address. DHCP is an extension to
    BOOTP, and uses the ports that were originally assigned to BOOTP - port 68
    on your end, port 67 on the server. A DHCP address is _leased_ to you,
    generally for a short period (hours), and your computer needs to renew the
    lease to continue using the IP it may have. These lease negotiations use
    the port 67/68 pairing. If you block this, at the end of the lease period,
    you loose access.

    As far as the 10.69.48.1 IP address, this is an RFC1918 address to be
    used _within_ a network such as the 24.150.x.x range allocated to Cogeco,
    but these addresses are not valid _outside_ of "this" network . If you
    exclude the address ranges listed in RFC3330 (which includes the RFC1918
    ranges), there are currently some 3,706,453,504 _available_ on the
    internet of which 2,469,544,460 (or 66.63 percent) are _in_use_ as of the
    middle of this month. Hence, IP addresses are a valuable commodity - why
    should your ISP _waste_ these addresses for systems (like the DHCP server)
    that will NEVER be accessed from the outside world? This actually _adds_
    some security. If your ISP has their collective heads out of their ass,
    they are dropping packets with RFC3330 addresses at their perimeter in
    accordance with RFC2827 and RFC3704, but in any case will be dropping
    packets with a _destination_ IP address in the RFC3330 range as required
    by the RFCs.

    >Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
    >workstations.


    It's also used by DHCP - see RFC2131 above

    >The fire wall is blocking servers so this isn't going through, but why
    >would this be happening?


    Because you are a residential customer, and haven't paid the hundreds of
    dollars PER MONTH to obtain a permanent IP address directly assigned to
    your system.

    >Is this a known vunerability?


    Yes - it allows computers to be connected to the Internet without the
    user having the faintest idea of what is going on. DHCP is a fairly
    significant security problem, subject to spoofing, and as a central
    point of failure. See section 7 of RFC2131 which warns that the
    service is quite insecure. The only reason it is used is that it allows
    computers to be connected to a network (such as your ISP) without
    requiring a person with a minimal skill to set up the IP address each
    time, and allows such configuration to be done from a central point.

    Old guy

  6. Re: Why BOOTPS from the Internet?

    Moe Trin wrote:
    > On Sat, 28 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
    > article , Henry Hub wrote:
    >
    >> My firewall log keeps showing that svchost.exe (Windows XP Pro) is being
    >> called from 10.69.48.1:67 from the internet. This is a bogus IP address.

    >
    > You are posting from a Cable network. For home users, these networks
    > ALWAYS use DHCP because the user lacks computer skills beyond turning
    > on the computer and clicking on some icons. If you use a network search
    > tool like google or yahoo, you can find a copy of RFC2131
    >
    > 2131 Dynamic Host Configuration Protocol. R. Droms. March 1997.
    > (Format: TXT=113738 bytes) (Obsoletes RFC1541) (Updated by RFC3396,
    > RFC4361) (Status: DRAFT STANDARD)
    >
    > DHCP is how your computer obtains an IP address. DHCP is an extension to
    > BOOTP, and uses the ports that were originally assigned to BOOTP - port 68
    > on your end, port 67 on the server. A DHCP address is _leased_ to you,
    > generally for a short period (hours), and your computer needs to renew the
    > lease to continue using the IP it may have. These lease negotiations use
    > the port 67/68 pairing. If you block this, at the end of the lease period,
    > you loose access.
    >
    > As far as the 10.69.48.1 IP address, this is an RFC1918 address to be
    > used _within_ a network such as the 24.150.x.x range allocated to Cogeco,
    > but these addresses are not valid _outside_ of "this" network . If you
    > exclude the address ranges listed in RFC3330 (which includes the RFC1918
    > ranges), there are currently some 3,706,453,504 _available_ on the
    > internet of which 2,469,544,460 (or 66.63 percent) are _in_use_ as of the
    > middle of this month. Hence, IP addresses are a valuable commodity - why
    > should your ISP _waste_ these addresses for systems (like the DHCP server)
    > that will NEVER be accessed from the outside world? This actually _adds_
    > some security. If your ISP has their collective heads out of their ass,
    > they are dropping packets with RFC3330 addresses at their perimeter in
    > accordance with RFC2827 and RFC3704, but in any case will be dropping
    > packets with a _destination_ IP address in the RFC3330 range as required
    > by the RFCs.
    >
    >> Port 67 UDP is the Bootstrap Protocol Server designed to boot diskless
    >> workstations.

    >
    > It's also used by DHCP - see RFC2131 above
    >
    >> The fire wall is blocking servers so this isn't going through, but why
    >> would this be happening?

    >
    > Because you are a residential customer, and haven't paid the hundreds of
    > dollars PER MONTH to obtain a permanent IP address directly assigned to
    > your system.
    >
    >> Is this a known vunerability?

    >
    > Yes - it allows computers to be connected to the Internet without the
    > user having the faintest idea of what is going on. DHCP is a fairly
    > significant security problem, subject to spoofing, and as a central
    > point of failure. See section 7 of RFC2131 which warns that the
    > service is quite insecure. The only reason it is used is that it allows
    > computers to be connected to a network (such as your ISP) without
    > requiring a person with a minimal skill to set up the IP address each
    > time, and allows such configuration to be done from a central point.
    >
    > Old guy


    Thanks for the thorough explanation. I have a basic knowledge of DHCP,
    but your info clears up a lot.

    Henry Hub

  7. Re: Why BOOTPS from the Internet?

    On Sun, 29 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
    article <836Zh.7874$WE.2541@read1.cgocable.net>, Henry Hub wrote:

    >Thanks for the thorough explanation. I have a basic knowledge of DHCP,
    >but your info clears up a lot.


    Glad to help. I'm guessing you just increased your firewall logging
    level recently, as this has been going on long before Cogeco got the
    24.150.x.x range in 1999. If you look back through the archives of
    this group (it gets about 10-15 thousand articles a year), you'll see
    a lot of the posts are from worried users who just discovered firewall
    logging, and have their firewall set to high or paranoid levels without
    understanding what is normal "noise" that can (and should) be ignored.

    One common misconception of the RFC1918 addresses is that they should
    never appear on the Internet. These addresses are for "internal" use
    where the public is not supposed to be able to get to them. But a
    backbone provider will often use them for router addresses connecting
    segments of their networks, and if you use 'traceroute' (or the b0rken
    windoze imitation called TRACERT.EXE), you may see these addresses. This
    is OK, because you have no reason to even be aware of the routers, much
    less try to connect to them (the ISPs get all kinds of unhappy if you
    do) - your packets merely transit these routers enroute from "here" to
    "there" without any effort on your part. Thus, you NORMALLY don't know
    (or care) what addresses they are using. As the public can't use them,
    why waste a otherwise useful address - give it an RFC1918 address and
    no one will know the difference. ;-)

    Old guy


+ Reply to Thread