1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DD-WRT and DHCP from internet

Discussion in 'DD-WRT Firmware' started by RonV, Jul 6, 2006.

  1. RonV

    RonV Network Guru Member

    I have been running V.23 SP1 since it rolled out and today I found something interesting in my WallWatcher log:

    WallReViewer - as of 7/6/2006 7:37:51 AM Central Standard Time (Timestamps are Local Time)
    Date Time Dir Prot Rem IP Addr Remote Name R Port Lcl IP Addr L Port
    2006/07/06 06:41:08 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:20 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:25 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:31 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:31 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:34 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:51 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:41:59 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:42:08 I udp 10.52.160.1 67 255.255.255.255 68
    2006/07/06 06:42:24 I udp 10.52.160.1 67 255.255.255.255 68


    It looks like DD-WRT is allowing address 10.52.160.1 to send in DHCP requets into my router. I have never seen this before under other firmware versions.

    Should I be concerend? Is this a security hole?

    Thanks

    -Ron
     
  2. sufrano63

    sufrano63 Network Guru Member

    The 10.x.x.x is a private address and not routable. More info is needed. What R U using as your internal address?
     
  3. RonV

    RonV Network Guru Member

    My internal address is 192.168.10.x
     
  4. d00zah

    d00zah Network Guru Member

    Try executing "tracert my.yahoo.com" from the command prompt. I'm betting that the 10.52.160.1 shows up as the first hop... probably an ISP router.

    If that's the case and you'd care to ignore the entries, you can right-click on the IP in WallWatcher and choose "Hide" or "Don't log" to remove clutter from the logs.
     
  5. RonV

    RonV Network Guru Member

    Well the address doesn't seem to be coming from the internet but from VLAN1 here is the ethereal capture on the SYSLOG record:

    Syslog message: USER.WARNING: kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:e2:33:70:54:08:00:45:00:01:50 SRC=10.52.160.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=48943 PROTO=UDP SPT=67 DPT=68 LEN=316
    0000 1... = Facility: USER - random user-level messages (1)
    .... .100 = Level: WARNING - warning conditions (4)
    Message: kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:e2:33:70:54:08:00:45:00:01:50 SRC=10.52.160.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=48943 PROTO=UDP SPT=67 DPT=68 LEN=316


    VLAN1 per the VLAN screen in the GUI shows that the WLAN is assigned to this interface.

    It only seems like I have one option here. Turn off the wireless interfaces and watch to see if the event continues to happen.

    Can you safely do a ifdown command on a vlan without effecting the remaining ports of the router?

    -Ron
     
  6. d00zah

    d00zah Network Guru Member

    I believe the "W" on the VLAN page indicates the WAN port rather than WLAN. W + 1-4 corresponds to the 5 physical connections on the back of the router.

    If you want to be sure, you can disable the access point by setting Wireless > Basic Settings > Wireless Network Mode to Disable.
     
  7. RonV

    RonV Network Guru Member

    My mistake W is the WAN port so this DHCP request is coming over the WAN connection. At least its being dropped by the router....I don't know how a private IP address is coming in over the public internet unless SBC/AT&T has a misconfigured router out there.

    At this time I'll just ignore it.....

    Thanks
     
  8. d00zah

    d00zah Network Guru Member

    Did you ever try the tracert? I saw the same thing in my log and the 10.x.y.z IP turned out to be the 1st hop beyond my LAN. Pretty sure it's common to most broadband connections.
     
  9. sufrano63

    sufrano63 Network Guru Member

    10.x.x.x is reserved for private network and it's a non-routable address; therefore it can not be coming from the Internet.
     
  10. d00zah

    d00zah Network Guru Member

    Quite aware of that. I'm only speculating but couldn't the ISP have it's own private subnets which don't route beyond its network? In this case, for bootp to upload modem code, etc..

    Tracing route to my.yahoo4.akadns.net [216.109.126.22]
    over a maximum of 30 hops:

    1 1 ms <1 ms <1 ms IANUS.MYRMIDOM [192.168.x.y]
    2 6 ms 7 ms 8 ms 10.83.64.1
    3 9 ms 7 ms 7 ms 172.20.15.21
    4 7 ms 7 ms 7 ms 66-x-y-z.static.charter.com [66.x.y.z]
    5 11 ms 9 ms 9 ms bstnma1wcx011-gige13-0-wcg.net [65.77.95.113]
    6 17 ms 15 ms 16 ms nycmny2wcx3-pos9-0-oc48.wcg.net [64.200.249.49]
    7 14 ms 15 ms 18 ms nycmny2wcx2-pos0-0-oc192.wcg.net [64.200.68.157]
    8 21 ms 22 ms 25 ms hrndva1wcx2-pos1-0-oc192.wcg.net [64.200.210.178]
    9 24 ms 23 ms 22 ms washdc5lch1-pos4-1.wcg.net [64.200.89.138]
    10 36 ms 25 ms 23 ms 64.200.89.110
    11 23 ms 22 ms 22 ms ge-0-0-0-p110.msr2.dcn.yahoo.com [216.115.108.5]
    12 22 ms 25 ms 22 ms ge2-2.bas2-m.dcn.yahoo.com [216.109.120.153]
    13 21 ms 22 ms 21 ms alteon3.124.dcn.yahoo.com [216.109.124.12]
    14 21 ms 22 ms 21 ms p3.my.vip.dcn.yahoo.com [216.109.126.22]

    Trace complete.
     
  11. sufrano63

    sufrano63 Network Guru Member

    I was replying to RonV as he kept saying the 10.x.x.x address might be coming from the Internet. Your suggestion is the only logical explanation why the 10.x.x.x showing up on the log.
     
  12. d00zah

    d00zah Network Guru Member

    Fair enough. Just looking for answers myself, but enjoy trying to posit a reasonable explanation. The fact that it shows up on the WAN port can easily be construed as "from the internet".

    Sorry to hijack the thread, Ron. Just hide/ignore it like I did (after arriving at an explanation I was comfortable with ;^).

    d-
     
  13. RonV

    RonV Network Guru Member

    Yes I did the tracert and no private addressess from my DSL connection:

    Tracing route to my.yahoo4.akadns.net [216.109.126.22]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.10.1
    2 9 ms 10 ms 10 ms 68.249.191.254
    3 10 ms 11 ms 10 ms 68.22.72.66
    4 10 ms 10 ms 10 ms 151.164.43.82
    5 11 ms 10 ms 11 ms 151.164.191.174
    6 12 ms 11 ms 11 ms 151.164.42.139
    7 12 ms 11 ms 12 ms 151.164.191.249
    8 11 ms 11 ms 11 ms 151.164.248.246
    9 27 ms 27 ms 28 ms 216.115.97.21
    10 29 ms 28 ms 27 ms 216.115.108.1
    11 29 ms 28 ms 32 ms 216.109.120.219
    12 27 ms 28 ms 28 ms 216.109.124.12
    13 30 ms 28 ms 27 ms 216.109.126.22

    Trace complete.

    But I wouldn't put anything past SBC/ATT being the root cause since it just started to show up yesterday....they blocked my VPN traffic before using some lame excuse about preventing email zombies.
     
  14. RonV

    RonV Network Guru Member

    Well it looks like the DHCP broadcasts against my router have stopped. I don't know how AT&T/SBC/Yahoo manages their network but this is totally unaccceptable.

    I sent a email to their support group yesterday and haven't received a response back yet but I am sure it will ask me to call the 800 number where you sit on hold for more than 10 minutes to talk with someone that will ask you to reset the DSL modem :thumbdown:
     
  15. d00zah

    d00zah Network Guru Member

    Ignore 'em & be more concerned about probes specifically targeting your IP (although they are random scans, the router is gonna block them anyway). You mentioned you use WW... have you set up a myNetWatchman account yet? Info on the WW website.
     
  16. RonV

    RonV Network Guru Member

    Yep set up the account long time ago when I first started running WebWatcher. Its amamzing the number of "Worms" that these guys have on record and even worse how many request hit my router.
     
  17. d00zah

    d00zah Network Guru Member

    It's the nature of the Internet. Just random scans of random subnets by infected hosts, for the most part. As long as you have no ports open & "Block Anonymous Internet Requests" (& don't incur the ire of someone with the wherewithal to do you harm) they don't know you're there & you've done about as much as you can do. Short of a preemptive strike, that is. ;^) Just enjoy the technology.
     

Share This Page