Netgear RP614 leaking - Hardware

This is a discussion on Netgear RP614 leaking - Hardware ; I have a computer behind an RP614 Web Router Gateway. My kernel is echoing a message to the console as follows: [nnnnnnn,nnnnn] Inbound IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:02:03:04:05:06:14 SRC=208.71.112.64 DST=10.0.0.101 LEN=72 TOS=0x00 PREC=0x00 TTL=254 ID=nnnnn PROTO=UDP SPT=80 DPT=38458 LEN=52 Looking at the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Netgear RP614 leaking

  1. Netgear RP614 leaking

    I have a computer behind an RP614 Web Router Gateway. My kernel is
    echoing a message to the console as follows:

    [nnnnnnn,nnnnn] Inbound IN=eth0 OUT=
    MAC=ff:ff:ff:ff:ff:ff:00:01:02:03:04:05:06:14 SRC=208.71.112.64
    DST=10.0.0.101 LEN=72 TOS=0x00 PREC=0x00 TTL=254 ID=nnnnn PROTO=UDP
    SPT=80 DPT=38458 LEN=52

    Looking at the router configuration, the port number 38458 is not
    forwarded, and I my internet browser is not running at this time.

    Does that mean that there is a bug in the Netgear router that is causing
    it to leak externally sourced UDP traffic across to the internal LAN?

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  2. Re: Netgear RP614 leaking

    Mark Hobley wrote:
    > I have a computer behind an RP614 Web Router Gateway. My kernel is
    > echoing a message to the console as follows:
    >
    > [nnnnnnn,nnnnn] Inbound IN=eth0 OUT=
    > MAC=ff:ff:ff:ff:ff:ff:00:01:02:03:04:05:06:14 SRC=208.71.112.64
    > DST=10.0.0.101 LEN=72 TOS=0x00 PREC=0x00 TTL=254 ID=nnnnn PROTO=UDP
    > SPT=80 DPT=38458 LEN=52
    >
    > Looking at the router configuration, the port number 38458 is not
    > forwarded, and I my internet browser is not running at this time.


    Your browser would use TCP, not UDP.
    So it's not your browser, even if you did have it running.

    > Does that mean that there is a bug in the Netgear router that is causing
    > it to leak externally sourced UDP traffic across to the internal LAN?


    No. It means you have something that's connecting outbound to udp/80,
    and you're seeing the return packet. Apparently you have netfilter &
    syslog configured to alert you on the console. (Personally, I'd find
    that annoying. YMMV)

    According to DNS, 208.71.112.64 is a04.ext.isohunt.com.

    According to ARIN, 208.71.112.64 is
    CustName: isoHunt Web Technologies, Inc.
    Address: 820 Broadway West
    City: Vancouver
    StateProv: BC
    PostalCode: V8Q-4K1
    Country: CA
    NetRange: 208.71.112.0 - 208.71.112.255
    CIDR: 208.71.112.0/24

    Got any reason to go there? Skype? BitTorrent? ... etc....

  3. Re: Netgear RP614 leaking

    Hello,

    Allen Kistler a crit :
    > Mark Hobley wrote:
    >
    >> I have a computer behind an RP614 Web Router Gateway. My kernel is
    >> echoing a message to the console as follows:
    >>
    >> [nnnnnnn,nnnnn] Inbound IN=eth0 OUT=
    >> MAC=ff:ff:ff:ff:ff:ff:00:01:02:03:04:05:06:14 SRC=208.71.112.64
    >> DST=10.0.0.101 LEN=72 TOS=0x00 PREC=0x00 TTL=254 ID=nnnnn PROTO=UDP
    >> SPT=80 DPT=38458 LEN=52

    [...]
    >> Does that mean that there is a bug in the Netgear router that is
    >> causing it to leak externally sourced UDP traffic across to the
    >> internal LAN?

    >
    > No. It means you have something that's connecting outbound to udp/80,
    > and you're seeing the return packet.


    Hmm... It does not look like a regular packet.
    - Its ethernet destination address ff:ff:ff:ff:ff:ff is broadcast but
    its destination IP address 10.0.0.101 is unicast.
    -Its ethertype is 0x0614 while it should be 0x0800 for an IPv4 packet.
    Third, the ethernet source address 00:01:02:03:04:05 looks... unusual,
    and the OUI 00:01:02 belongs to 3Com while the router is Netgear.
    - The TTL is 254 which means it traversed at most one hop before
    reaching your box. How far is 208.71.112.64 from you ?

    Are you sure these packets come from the router ?

+ Reply to Thread