[lug] wild activity, don't know why.

Gus Huber gus at pbx.org
Thu Aug 9 13:53:18 MDT 2001 

I do not have an @home cable modem, but when I lived in lawrence ks,
the local cable company had their own cable service.  I noticed that all
of the arp trafic for the entire segment I was on was visible to me (as
most of it is broadcast trafic).  a good way to look at this is with
tcpdump. see http://ee.lbl.gov/ for more info on tcpdump (most distros
include it in some form someplace).  Most notably, the way docsis modems
work (usualy) is the actual modem interface is assigned a private address.
mos providers use an entire class B from 10.x.0.0.  You should be able to
see most of the arp trafic on your interface for cable moems requesting arps
for the bootp server and vice versa.  you also might see arp trafic for the
rest of your neighbors 'public' interface addresses.  this is usualy the only
trafic you will see because I have noticed only broadcast ethernet trafic
seems to go through.

Each 'public' ip address assigned usualy is given a /32 subnet, so ip 
broadcasts from your machine will only go to your machine.  There is also
an optional mechanism for DES encryption in the modems.

for more information on docsis see http://www.cablemodems.com

For those of you who might have motorola cable modems, several of the 
'surfboard' model cable modems have a nifty little web status page
it intercepts all trafic destined to 192.168.0.1 (I think it might be 1.1).

also note that motorola cable modems accept any SNMP community you throw at them
so you could setup some nifty MRTG graphs.


	cheers,
		gus huber <gus at pbx.org>
On Thu, Aug 09, 2001 at 10:59:30AM -0600, Holshouser, David wrote:
> more info:
> I downloaded iptraf and it looks like there is nothing but ARP going across
> the pipe. I can't tell the to or from addresses though. Is there a way to
> see if I am the one generating all the arp traffic?
> 
> Perhaps I've been hacked and I'm being used to DOS the local pipe by ARPing
> it to death.
> Or maybe someone else has fallen victim to this fate.
> 
> This doesn't appear to be CodeRed to me. 
> I did get 375 hits from it yesterday and already 45 today, but that doesn't
> account for a constantly steady activity light.
> 
> That's too bad about losing our ability to serve http requests. I'll miss
> that sorely.
> 
> > -----Original Message-----
> > From: Prescott Oelke [mailto:plkey at home.com]
> > Sent: Thursday, August 09, 2001 10:49 AM
> > To: lug at lug.boulder.co.us
> > Subject: RE: [lug] wild activity, don't know why.
> > 
> > 
> > I've talked to AT&T about this and they have had major 
> > problems with Code 
> > Red on their cable network (which I am also on). Code Red 
> > chooses to scan 
> > computers on its own section of the Internet apparently, 
> > before venturing 
> > further out. Almost all the hits I have been getting are on 
> > port 80 and 
> > from the 65.x.x.x address block (where my IP resides).
> > 
> > Basically someone (a lot of someones) set up a webserver using M$ IIS 
> > server and hasn't patched it yet (most, I've discovered, 
> > aren't even aware 
> > they're running it). So everytime they turn their machines on 
> > Code Red 
> > begins scanning to find new machines to infect. The guy at 
> > AT&T @Home said 
> > that they were going to block port 80 off from the outside 
> > world on their 
> > network. All good and well, but that won't stop computers inside the 
> > network from scanning.
> > 
> > I got over 600 hits to my port 80 yesterday alone.
> > 
> > Prescott Oelke
> > 
> > At 10:17 AM 8/9/2001 -0600, you wrote:
> > >I've been seeing a lot of articles in the news lately about 
> > this thing
> > >called "Code Red"...
> > >
> > >-----Original Message-----
> > >From: Holshouser, David [mailto:dholshou at ball.com]
> > >
> > >My brother called yesterday to inform me that the activity 
> > light has been
> > >solid for the last few days.
> > >I unshared all web content that might have been causing the 
> > activity (mp3).
> > >Everything seemed ok.
> > >This morning I got another call with the same message.
> > >_______________________________________________
> > >Web Page:  http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > 
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list