CALEA backdoor?



  • Looking at System Logs>Firewall

    I am noticing blocked VRRP traffic destined to Halliburton etc.. CALEA? the source being my Lan interface trying to go out WAN, did the authors write in CALEA back doors or something?



  • Stop bogarting that, the polite thing to do is to pass it on after a few puffs.
    If you're seeing that traffic, I'd go make sure Dick Cheney wasn't in the parking lot stealing your wifi instead of thinking there is some sort of secret backdoor in your Open Source firewall.



  • What exactly do you mean "source" the LAN interface?
    You mean it gets blocked on the LAN or the actual IP of the LAN interface is the source of the traffic?
    (could you show a screenshot of this log?)

    Are you using CARP?



  • @GruensFroeschli:

    What exactly do you mean "source" the LAN interface?
    You mean it gets blocked on the LAN or the actual IP of the LAN interface is the source of the traffic?
    (could you show a screenshot of this log?)

    Are you using CARP?

    Yes, it is IP of my LAN (10.200.200.200) and yes, I have CARP running:

    Apr 24 17:02:40  WAN  10.200.200.200  242.3.12.106  VRRP

    Maybe because my LAN and WAN are same physical network?

    Also did a wireshark session that contains the following:

    Version 2, Packet type 1 (Advertisement)
    0010 …. = VRRP protocol version: 2
    .... 0001 = VRRP packet type: Advertisement (1)
    Virtual Rtr ID: 2
    Priority: 0 (Current Master has stopped participating in VRRP)
    Count IP Addrs: 7
    Auth Type: No Authentication (0)
    Adver Int: 1
    Checksum: 0xa00b [correct]
    IP Address: xxx.x.12.106 (xxx.x.12.106)

    Then 6 more IP addresses when I looked up they were all like Halliburton, DuPont, Verizon, etc…

    Then a Google search rendered this page:

    http://www.freesoftwaremagazine.com/node/1671

    I am a total novice at all of this, but I just thought it was very freaky.



  • 1: Dont share the same physical network of LAN and WAN**!**
    2: carp uses the same protocol number as vrrp.

    If your LAN is on the same physical network than your WAN i wouldnt wonder if you recieve VRRP-traffic from your ISP to which your CARP-setup answers.
    To me it seems as if you're using a vhid your ISP is using and you're broadcasting stuff into their network that "might" mess things up.

    ( EDIT: even though i assume it doesnt :) )



  • @GruensFroeschli:

    1: Dont share the same physical network of LAN and WAN**!**
    2: carp uses the same protocol number as vrrp.

    If your LAN is on the same physical network than your WAN i wouldnt wonder if you recieve VRRP-traffic from your ISP to which your CARP-setup answers.
    To me it seems as if you're using a vhid your ISP is using and you're broadcasting stuff into their network that might mess things up.

    Ah, ok, was only doing initial testing for clients, so I have shut it down until I can Isolate LAN and WAN.

    Thanks! I just hope I didn't mess with all those corps  :o



  • I don't think so unless your isp has set up his network in a pretty bad way. It's pretty strange that you see that traffic at your wan anyway (VRRP of other companies).



  • @dotdash:

    Stop bogarting that, the polite thing to do is to pass it on after a few puffs.
    If you're seeing that traffic, I'd go make sure Dick Cheney wasn't in the parking lot stealing your wifi instead of thinking there is some sort of secret backdoor in your Open Source firewall.

    LMAO



  • @dotdash:

    Stop bogarting that, the polite thing to do is to pass it on after a few puffs.
    If you're seeing that traffic, I'd go make sure Dick Cheney wasn't in the parking lot stealing your wifi instead of thinking there is some sort of secret backdoor in your Open Source firewall.

    :D  I think he's smoking something harder than that.  I vote we change his image avatar to a crack pipe.  ;D

    I've also seen CARP log really strange stuff when you put both interfaces on the same broadcast domain. As has been said already, don't do that.

    Edit: see my next post for the explanation.



  • Figured out why your logs are displaying this way, it's what happens when CARP traffic is decoded as VRRP.

    Explanation from Bill Marquette:

    "CARP uses the same protocol number as VRRP but overlays a different
    struct on top of it.  FreeBSD's tcpdump decodes it as VRRP by default
    (I think you have to use -t carp or something to decode it
    differently).  When it does that, the part of the VRRP struct that
    tells what the VRRP IPs are get decoded as "random" addresses.  In
    CARP, that part of the struct is actually the md5 (blowfish?) hashed
    (with the shared key - password - on all machines in the cluster) high
    availability IP."

    It's not really sending anything outside your network, it's not decoding it correctly so it appears that way. I'm not sure if we can differentiate between CARP and VRRP for logging purposes, we're discussing it.



  • @cmb:

    When it does that, the part of the VRRP struct that
    tells what the VRRP IPs are get decoded as "random" addresses.  In
    CARP, that part of the struct is actually the md5 (blowfish?) hashed
    (with the shared key - password - on all machines in the cluster) high
    availability IP."

    So the IP addresses were by chance resolved to those companies, oh man I have to stop listening to Alex Jones while at work!.

    My other problem is I tried to use o google image for my crack pipe avatar to no avail!  :(





  • LMAO – Alex Jones is going to make you go mental.


Locked