Networking – How to find the source of connections coming from private IPs

dd-wrtipnetworkingrouterSecurity

I'm an amateur home network administrator and I'm trying to ensure that the network is as secure as I can make it. We have a cable connection going through a Linksys router (WRT320) with the dd-wrt firmware (v24-sp2 mini) blocking most incoming connections and forwarding a few. I'm no expert so I haven't been tweaking the settings too much. Everything is mostly at their default settings with nonessential services disabled.

I've been looking through the incoming connection logs and found that I'm receiving constant connection requests that are being dropped from the private IP, 10.160.0.1:bootpc (UDP) (port 68 I think). By the name, I initially thought it was some computer trying to remotely start up a computer in the network. After looking it up, it is my understanding that the service it is trying to connect to is the DHCP server on the router but I have no idea where those requests are coming from.

I'm doing this all from the webui for the router so the logs are pretty barebones. This is the kind of information I see:

Source IP    Protocol    Destination Port Number    Rule
10.160.0.1   UDP         bootpc                     Dropped
(repeated)

It is a Linux-based firmware so I should be able to poke my nose around. I just not that great with the administrative side of Linux.

All of the computers at home are accounted for. I know which computers are connected and they aren't running services that they shouldn't be. Wireless is secured so no unknown computers can connect AFAIK. I just don't know how to identify this rogue IP.

A potential source that this might be coming from is that some of our computers have remote login programs (LogMeIn) so my dad can connect to the computers remotely. However, the computers are off (or have it disabled) and he hasn't been using it as frequently as he used to. I would have thought that the IP address would have been showing as an actual non-private address if he was trying to connect anyway.

I also have a second wireless router that is acting as an access point and bridges connections to the main one. It's a Linksys WRT54GL with the same firmware with pretty much the same exact settings and everything — the routers and all computers — are on the same subnet AFAIK.

Where are these connections coming from?


Running tcpdump to check the packets, I see these entries:

root@WRT320N:/tmp# tcpdump -XX -e &> dump.txt
root@WRT320N:/tmp# cat dump.txt | grep 10.160.0.1
16:58:49.918259 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
16:59:07.303484 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
16:59:32.351746 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
16:59:37.574938 00:19:2f:e5:ba:d9 (oui Unknown) > 01:00:5e:00:00:01 (oui Unknown), ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.160.0.1 > all-systems.mcast.net: igmp query v2
16:59:39.829927 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 341: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 295
16:59:40.767904 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 341: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 295
16:59:40.867497 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
16:59:48.905628 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 341: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 295
16:59:49.132869 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
16:59:51.378274 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 341: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 295
16:59:53.848036 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
17:00:10.841075 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 340: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 294
17:00:12.137809 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 340: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 294
17:00:14.179802 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
17:00:16.196078 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 340: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 294
17:00:21.349701 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
17:00:22.445556 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
17:00:23.366436 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
17:00:24.162903 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 340: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 294
17:01:04.274555 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype ARP, arp who-has 10.160.1.49 tell 10.160.0.1
17:01:07.439837 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
17:01:07.457221 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300
17:01:09.454207 00:19:2f:e5:ba:d9 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 10.160.0.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length: 300

trimmed for brevity

I'm not sure what to make of it though. Searching online on all-systems.mcast.net shows a number of people also getting these packets too but with no real answers that I could see.

Best Answer

The DHCP traffic that you're seeing is special in that the source address is going to be 0.0.0.0 - not a lot of help there as far as finding the source.

This is unlikely to be anything to be alarmed about - this broadcast traffic should occur any time a device connects to the network, joins the wireless, etc.

If you do still want to hunt it down, you'll want to obtain the source MAC address of the traffic, and track it down from there.