understanding ARP was: RE: [lug] wild activity, don't know why.

D. Stimits stimits at idcomm.com
Thu Aug 9 15:01:22 MDT 2001 

I would be nervous too. But, if everyone out there has network
neighborhood going (and that includes samba), then they are probably all
talking to each other. It would be rather important to have firewalling
set up to allow only necessary ip's access to ports 137 through 139. And
as for anything like DHCP or DNS, never let anyone talk to it but the
exact ip's that need to. Even if you don't block traffic, ipchains and
firewall logging rules give you a lot of info on what is hitting the
ports...you can simply tell it to log, and not block.

D. Stimits, stimits at idcomm.com

"Holshouser, David" wrote:
> 
> I won't be able to be in physical contact with the box for at least a week.
> Is there another way to follow ARP activity?
> 
> Why would my machine be broadcasting ~40-45 uniq ARP requests per second?
> Could this be considered normal during an attack like what we are seeing due
> to CR&CRII?
> 
> I feel a little uneasy that my machine is putting so much crap out into the
> world (at least into the local net).
> 
> Any ideas, things to check / do, or just a better understanding of the ARP
> world would be nice.
> I thought I understood this system but this just doesn't make sense to me.
> 
> > -----Original Message-----
> > From: Michael J. Hammel [mailto:mjhammel at graphics-muse.org]
> > Sent: Thursday, August 09, 2001 11:52 AM
> > To: lug at lug.boulder.co.us
> > Subject: Re: [lug] wild activity, don't know why.
> >
> >
> > Thus spoke Holshouser, David
> > > I downloaded iptraf and it looks like there is nothing but
> > ARP going across
> > > the pipe. I can't tell the to or from addresses though. Is
> > there a way to
> > > see if I am the one generating all the arp traffic?
> >
> > Sure, shut down the interface.  ARP requests are software
> > driven and if the
> > inet connection is down, it won't go out.
> >
> > I did this same test here in Houston (Time/Warner cable) and found the
> > activity light stayed pretty active (though not solid).
> > There is a lot of
> > probing going on right now.
> >
> > > Perhaps I've been hacked and I'm being used to DOS the
> > local pipe by ARPing
> > > it to death.
> > > Or maybe someone else has fallen victim to this fate.
> >
> > It's someone else, more than likely, if you're on a Linux box.
> >
> > > This doesn't appear to be CodeRed to me.
> >
> > It is.
> >
> > > I did get 375 hits from it yesterday and already 45 today,
> > but that doesn't
> > > account for a constantly steady activity light.
> >
> > I'm running KRUD and set up my gateway box to not accept any incoming
> > connections via isinglass (very cool stuff, if you haven't
> > tried it - it's
> > from tummy.com).  Incoming connection attempts get logged as
> > rejected in
> > /var/log/messages.  Looking though those I found the IP
> > addresses of the
> > hosts who were probing me (which recently turned out to be a
> > bunch on the
> > *inside* of Time/Warners network address block).  I telnet'd
> > to those IP
> > addresses on port 80 and did "get html", which produces an
> > error and a note
> > on which server is running.  Guess what - they're all MS IIS
> > servers.  It's
> > code red doing its thing.
> >
> > > > further out. Almost all the hits I have been getting are on
> > > > port 80 and
> > > > from the 65.x.x.x address block (where my IP resides).
> >
> > Ditto, but on the 66.x.x.x block which is Time/Warners.
> >
> > > > AT&T @Home said
> > > > that they were going to block port 80 off from the outside
> > > > world on their
> > > > network. All good and well, but that won't stop computers
> > inside the
> > > > network from scanning.
> >
> > Which is where most of the scans are coming from here.
> >
> > Interestingly enough, the frequency of the data light flashes
> > has slowed
> > slightly over the past week.  It's still pretty active, but
> > not quite so
> > bad as on Monday or Tuesday.  There are more frequent pauses now.
> > --
> > Michael J. Hammel           |
> > The Graphics Muse           |   I'm not tense, just terribly,
> > terribly alert.
> > mjhammel at graphics-muse.org  |
> > http://www.graphics-muse.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list