[lug] wild activity, don't know why.

Michael J. Hammel mjhammel at graphics-muse.org
Thu Aug 9 11:52:12 MDT 2001


Thus spoke Holshouser, David
> I downloaded iptraf and it looks like there is nothing but ARP going across
> the pipe. I can't tell the to or from addresses though. Is there a way to
> see if I am the one generating all the arp traffic?

Sure, shut down the interface.  ARP requests are software driven and if the
inet connection is down, it won't go out.

I did this same test here in Houston (Time/Warner cable) and found the
activity light stayed pretty active (though not solid).  There is a lot of
probing going on right now.

> Perhaps I've been hacked and I'm being used to DOS the local pipe by ARPing
> it to death.
> Or maybe someone else has fallen victim to this fate.

It's someone else, more than likely, if you're on a Linux box.

> This doesn't appear to be CodeRed to me. 

It is.

> I did get 375 hits from it yesterday and already 45 today, but that doesn't
> account for a constantly steady activity light.

I'm running KRUD and set up my gateway box to not accept any incoming
connections via isinglass (very cool stuff, if you haven't tried it - it's
from tummy.com).  Incoming connection attempts get logged as rejected in 
/var/log/messages.  Looking though those I found the IP addresses of the
hosts who were probing me (which recently turned out to be a bunch on the
*inside* of Time/Warners network address block).  I telnet'd to those IP
addresses on port 80 and did "get html", which produces an error and a note
on which server is running.  Guess what - they're all MS IIS servers.  It's
code red doing its thing.

> > further out. Almost all the hits I have been getting are on 
> > port 80 and 
> > from the 65.x.x.x address block (where my IP resides).

Ditto, but on the 66.x.x.x block which is Time/Warners.

> > AT&T @Home said 
> > that they were going to block port 80 off from the outside 
> > world on their 
> > network. All good and well, but that won't stop computers inside the 
> > network from scanning.

Which is where most of the scans are coming from here.

Interestingly enough, the frequency of the data light flashes has slowed
slightly over the past week.  It's still pretty active, but not quite so
bad as on Monday or Tuesday.  There are more frequent pauses now.
-- 
Michael J. Hammel           |
The Graphics Muse           |   I'm not tense, just terribly, terribly alert.
mjhammel at graphics-muse.org  |
http://www.graphics-muse.com 



More information about the LUG mailing list