FW: FW: My Firewall Sending Erroneous SNMP Messages
Reply regarding findings attributed to comments submitted by David Ranch.
-----Original Message-----
From: David Gowdy
Sent: Friday, October 07, 2005 11:10 AM
To: 'David A. Ranch'
Subject: RE: FW: My Firewall Sending Erroneous SNMP Messages
Thanks for the help. See annotations below.
-----Original Message-----
From: David A. Ranch
Sent: Friday, October 07, 2005 12:39 AM
To: David Gowdy
Subject: Re: FW: My Firewall Sending Erroneous SNMP Messages
Hello David,
So a few questions:
1. when you were running tcpdump, were you running this on ppp0 or eth0?
It looks like you were running this on eth0 which is incorrect.
<< I ran it on both (actually my external NIC is eth1) but the output I sent
came from eth1. It is the interface used for PPPoE. I think this approach
has the advantage of showing the packets in their native Ethernet form
rather than just the IP. The link protocols for PPP also show up when you
trace on the Ethernet interface. If there is a problem with this rationale
I need further explanation. >>
If you were running it on eth0, this traffic might be normal. Many DSL
ISPs use private addresses for the ethernet interface but put the public
IP on the ppp interface.
<< What seems odd to me is that the ISP (Verizon) has assigned a private
address (at the time of the trace it was 10.0.38.1 but does change slightly
from time to time) for their side of the PPP connection. Since I'm using
10.x.x.x there is potential conflict with my network but my gateway device
seems to be setting up valid routes. Another curious point is that the
netmask being dynamically assigned for the ppp0 interface is
255.255.255.255, even though Verizon help desk people seem to think that
this is wrong. If I connect from a Windoze Box, I seem to recall that a
different value is assigned. >>
2. In the decode, the SNMP packet is from the source "70.108.83.244"
which is listed as pool-70.108.83.244.res.east.verizon.net". Is that
the IP address on your PPP0 interface?
<< YES >>
3. Via Google, it shows up that SNMP OID for fingind out network-enabled
printer status. Does that sound familiar?
<< I am running LPD on the same box. It provides print serving to a
postscript printer attached via parallel port (i.e., I wouldn't describe
this as a network aware printer. >>
4. What interesting with this decode (did this come from TCPDUMP or
something like Ethereal?) is the vendors of the Ethernet MAC addresses.
Do these sound vendors sound familar?
Source: 3com_ff:0c:a8 (00:50:04:ff:0c:a8)
Destination: Cisco_6f:91:08 (00:50:73:6f:91:08)
<< I use tcpdump on the gateway for capturing but the report was produced by
running ethereal on the captured file. I use a 3COM NIC and I presume that
Verizon is using a Cisco device of some kind. >>
5. This SNMP poll is VERY old and very basic:
- It's using SNMPv1 which is really old
- It's using a Community of public which is very insecure
1.3.6.1.2.1.25.3.2.1.5.1
6. I think this email sums it up. You have a rogue network printer.
http://bob.marlboro.edu/wiki04/Wiki.jsp?page=HaveIBeenHacked
<< I think this is the clue that I needed. It seems I do have a laptop
running Windoze which does still have some printers installed that are
associated with some former work locations. The rogue addresses match. The
intermittent nature of my problem could be explained by the presence or
absence of this laptop on my network. I'll have to dig a little deeper
before understanding the scenario precisely. I'm very grateful for your
willingness to HELP. MANY THANKS! >>
--David
Reply to: