Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Daniel Klein]

On 10/12/19 5:03 PM, Stefan Krusche wrote:


Why would my machine send these requests?

Any hint much appreciated.


That's not your machine, it's the next hop in the network segment Vodafone 
(formerly Kabel Deutschland) uses.

It's the same here:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 91.65.125.254   0.0.0.0 UG0  00 eth2


Seems we may be in the same segment, where you coming from, if i may ask?


Daniel
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[s]

Hi mett,

> 
> Hi, 
> 
> if this is really outgoing arp request,
> maybe ur default route is not properly 
> configured.
> Like u have no next-hop address,
> only an outgoing interface as a default
> route:
> 
> ip route default dev en0  
> 
> instead of   
> 
> ip route default via 91.sm.th.ing dev en0
> 
> In that case, ur host think every hosts is attached to it, and therefore arp 
> for each
> host.
> 
> I said if bc what u showed didn t seem 
> coming from ur host.
> 
> Can u verify that all the arp requests 
> are from ur host? 
> ie. the outgoing interface, en0 if i 
> understood properly 
> (the interface with a public ip address).
> 
> hth

Exactly, it could be indeed a routing problem, since he own 2 networks, he need 
to route the dns trafic via public interface 'en0'..

But the thing is, he will need 2 default gateways.. one for the public network 
'91.65.138.0/??'( what you designated as default gateway.. ),
And 1 for the internal private network '192.168.19.0/24'( delivering dhcp, and 
the dns cache queries, he cache on that machine.. )

He can acomplish that in debian,
You need to do it using 'policy routing'( redhat permited to bound a routing 
table directly to a interface.. I think I already saw that in debian too, but 
its not the same thing.. do this solution isa bit more dificult.. )
For that, see 
'https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System'
or 
'https://unix.stackexchange.com/questions/35713/adding-two-default-gateways-in-debian-interfaces-file/35822'

You should see after creating a new routing table, and assign routing rules, 
that you have 2 default gateways, one for public trafic and one for private..


But...IF he doesn't own, or contact that machine( 
'ip5b418c91.dynamic.kabel-deutschland.de - 91.65.140.145' ), why is it trying 
to know its mac address??
It could even be that the master dns server is down, or unreachable and he 
needs to contact the slave server.. don'ty know

But, I think that this was is first question..

Best Regards
-- 
tux 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[s]

Hi Stefan,

> > first of all, your machine seems to be the dns server, or you have
> > static ips assigned?
> 
> Yes, unbound DNS resolver is running on this machine. No static IPs.
> 
You have a public dynamic IP, I assume.

So you are in the domain: 'dynamic.kabel-deutschland.de'
but by what I see, that domain is a /24 or not??
you:
FQDN: ip5b418cfe.dynamic.kabel-deutschland.de 
IP: 91.65.138.120/24

Someone else:
FQDN: ip5b418c91.dynamic.kabel-deutschland.de
IP: 91.65.140.145  /24??

something strange, you have 2 diferent *public* networks in the same domain?

Another things..
Are you trying to have 2 machines conected with a foreign dynamic dns service, 
ex: like 'https://www.noip.com/free' ?

> $ sudo tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 09:25:00.272473 ARP, Request who-has
> ip5b418c91.dynamic.kabel-deutschland.de tell
> ip5b418cfe.dynamic.kabel-deutschland.de, length 46
> 
who is 'ip5b418c91.dynamic.kabel-deutschland.de' ??
its other machine of yours?

do a :
arping 91.65.140.145
check the mac address, compare with any one of yours..

> $ nslookup ip5b418c91.dynamic.kabel-deutschland.de
> Address: 91.65.140.145

its a diferent network than yours but they have exactly the same domain..weird 
??
what is the dns server that responds to that request?
should be: '83.169.184.33'

> AIUI I have a ARP cache with one entry for the standard gateway of my
> ISP. See my original post. Is this normal or should there be more
> entries?
>
any ip address of your network should be there( 192.168.19.2,192.168.19.3 ?? ), 
but if none contacted then its ok..


> Are you saying running a local DNS resolver daemon like unbound is a
> security risk? And that the seemingly increased ARP traffic could be
> a symptom of this machine being hacked?
> 
No, I don't even know what is 'unbound'..

But if you are using a external service, depending of the type of external 
dynamic dns services,
yes, I already was some 15 years ago, using 'https://www.noip.com/free',
I already saw tons of cases like mine, out there( they don't offer you a 
dynamic dns service for free... free for them, means your information is selled 
in the black market...they need to make money.. no one offers free services.. 
)..

But doesn't mean you are the case here..( I don't even know what is the domain 
'dynamic.kabel-deutschland.de'.. )

Your machine is acting as a DNS cache server for the network 192.168.19.0/24, 
for what it seems..

--
Best Regards, 
tux 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[mett]

On 2019年10月13日 18:24:54 JST, "Dr. Nikolaus Klepp"  wrote:
>Anno domini 2019 Sun, 13 Oct 10:47:30 +0200
> Stefan Krusche scripsit:
>> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp:
>> > There is some misunderstanding: The ARP package has nothing to do
>> > with DNS. 
>> 
>> That's what I've been thinking and why I asked.
>> 
>> > It basicly links MAC to IP - and you can do funny things 
>> > with it. 
>> 
>> Okay, I still can't seem to connect the dots…
>> 
>> > tcpdump just makes the name resolution for you, use "tcpdump 
>> > -n" to go without it. e.g.:
>> >
>> > # tcpdump -n
>> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell
>192.168.1.1,
>> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
>> > 00:1b:77:53:6c:43, length 28
>> 
>> Alright. What attracts my attention is, that here length is 28 just 
>> like the ARP message format is explained on the site you recommended 
>> where it is 46 on my machine:
>> 
>> $ sudo tcpdump -n
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>decode
>> listening on net0, link-type EN10MB (Ethernet), capture size 262144
>bytes
>> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell
>91.65.142.254, length 46
>> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86,
>length 46
>> 
>> Is this relevant in any way related to exaggerated ARP requests?
>
>My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet
>size, but it's padded for ethernet minmum frame:
>https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet
>
>You can ask tcpdump to give you a hex dump of the packets and
>investigate:
># tcpdump -nx
>
>11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
>length 28
>   0x:  0001 0800 0604 0001 c493 0007 4ca5 c0a8
>   0x0010:  0101    c0a8 01be
>11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43,
>length 28
>   0x:  0001 0800 0604 0002 001b 7753 6c43 c0a8
>   0x0010:  01be c493 0007 4ca5 c0a8 0101
>
>
>> 
>> > arp cache should only have as many entries as ather mac adresses
>are
>> > active in your part of the lan. If you are alone on your router,
>then
>> > it's just you routers mac in the cache.
>> 
>> This seems to be the case (see OP).
>> 
>> Thank you, Nik.
>> 
>> Stefan
>> 
>> ___
>> Dng mailing list
>> Dng@lists.dyne.org
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>> 
>
>
>
>-- 
>Please do not email me anything that you are not comfortable also
>sharing with the NSA, CIA ...
>___
>Dng mailing list
>Dng@lists.dyne.org
>https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Hi, 

if this is really outgoing arp request,
maybe ur default route is not properly 
configured.
Like u have no next-hop address,
only an outgoing interface as a default
route:

ip route default dev en0  

instead of   

ip route default via 91.sm.th.ing dev en0

In that case, ur host think every hosts is attached to it, and therefore arp 
for each
host.

I said if bc what u showed didn t seem 
coming from ur host.

Can u verify that all the arp requests 
are from ur host? 
ie. the outgoing interface, en0 if i 
understood properly 
(the interface with a public ip address).

hth___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Dr. Nikolaus Klepp]

Anno domini 2019 Sun, 13 Oct 10:47:30 +0200
 Stefan Krusche scripsit:
> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> > There is some misunderstanding: The ARP package has nothing to do
> > with DNS. 
> 
> That's what I've been thinking and why I asked.
> 
> > It basicly links MAC to IP - and you can do funny things 
> > with it. 
> 
> Okay, I still can't seem to connect the dots…
> 
> > tcpdump just makes the name resolution for you, use "tcpdump 
> > -n" to go without it. e.g.:
> >
> > # tcpdump -n
> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
> > 00:1b:77:53:6c:43, length 28
> 
> Alright. What attracts my attention is, that here length is 28 just 
> like the ARP message format is explained on the site you recommended 
> where it is 46 on my machine:
> 
> $ sudo tcpdump -n
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 
> 46
> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46
> 
> Is this relevant in any way related to exaggerated ARP requests?

My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet size, but 
it's padded for ethernet minmum frame:
https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet

You can ask tcpdump to give you a hex dump of the packets and investigate:
# tcpdump -nx

11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28
0x:  0001 0800 0604 0001 c493 0007 4ca5 c0a8
0x0010:  0101    c0a8 01be
11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28
0x:  0001 0800 0604 0002 001b 7753 6c43 c0a8
0x0010:  01be c493 0007 4ca5 c0a8 0101


> 
> > arp cache should only have as many entries as ather mac adresses are
> > active in your part of the lan. If you are alone on your router, then
> > it's just you routers mac in the cache.
> 
> This seems to be the case (see OP).
> 
> Thank you, Nik.
> 
> Stefan
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> There is some misunderstanding: The ARP package has nothing to do
> with DNS. 

That's what I've been thinking and why I asked.

> It basicly links MAC to IP - and you can do funny things 
> with it. 

Okay, I still can't seem to connect the dots…

> tcpdump just makes the name resolution for you, use "tcpdump 
> -n" to go without it. e.g.:
>
> # tcpdump -n
> 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1,
> length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at
> 00:1b:77:53:6c:43, length 28

Alright. What attracts my attention is, that here length is 28 just 
like the ARP message format is explained on the site you recommended 
where it is 46 on my machine:

$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 46
10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46

Is this relevant in any way related to exaggerated ARP requests?

> arp cache should only have as many entries as ather mac adresses are
> active in your part of the lan. If you are alone on your router, then
> it's just you routers mac in the cache.

This seems to be the case (see OP).

Thank you, Nik.

Stefan

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Dr. Nikolaus Klepp]

Anno domini 2019 Sun, 13 Oct 10:13:31 +0200
 Stefan Krusche scripsit:
> Hello Tux,
> 
> thanks for your reply.
> 
> "s@po"  schrieb am 12.10.2019 20:10:
> 
> > > Why would my machine send these requests?
> >
> > first of all, your machine seems to be the dns server, or you have
> > static ips assigned?
> 
> Yes, unbound DNS resolver is running on this machine. No static IPs.
> 
> > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}
> 
> I have a huge /etc/hosts file for blocking purposes. There are a
> handful lines for IPs to the LAN like this which are not in use,
> i.e. I have no LAN, only a laptop rarely connected to this machine:
> 
> $ head /etc/hosts
> 127.0.0.1   localhost
> 127.0.1.1   rubians
> 192.168.19.1rubians
> 192.168.19.2rubiana
> 192.168.19.3rubiano
> 
> $ cat /etc/resolv.conf
> nameserver 127.0.0.1   # this is for unbound on localhost
> nameserver 83.169.184.33  # ISP's name server
> nameserver 83.169.184.97  # ISP's name server
> 
> $ ifconfig -a
> lan0: flags=4099  mtu 1500
> inet 192.168.19.1  netmask 255.255.255.0  broadcast
> 192.168.19.255
> ether 00:21:85:02:91:b8  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 0  bytes 0 (0.0 B)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> 
> net0: flags=4163  mtu 1500
> inet 91.65.138.120  netmask 255.255.255.0  broadcast
> 91.65.138.255
> inet6 fe80::20e:2eff:fe09:19d2  prefixlen 64  scopeid 0x20
> ether 00:0e:2e:09:19:d2  txqueuelen 1000  (Ethernet)
> RX packets 544261  bytes 36150630 (34.4 MiB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 9509  bytes 923017 (901.3 KiB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> 
> > Then, find the processes that are running with open sockets..
> > Check which ones are running, and verify why..
> > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}
> 
> $ sudo tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 09:25:00.272473 ARP, Request who-has
> ip5b418c91.dynamic.kabel-deutschland.de tell
> ip5b418cfe.dynamic.kabel-deutschland.de, length 46
> 
> $ nslookup ip5b418c91.dynamic.kabel-deutschland.de
> Address: 91.65.140.145
> 
> $ lsof -nP -i4tcp@91.65.140.145
> $ echo $?
> 1
> 
> Well, I can't seem to catch one - maybe I am too slow because the
> connections are to short-lived?!
> 
> $ lsof -nP -i4tcp
> COMMANDPIDUSER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> unbound   2924 unbound6u  IPv4  15462  0t0  TCP 127.0.0.1:53
> (LISTEN)
> unbound   2924 unbound   10u  IPv4  15466  0t0  TCP 127.0.0.1:53
> (LISTEN)
> unbound   2924 unbound   12u  IPv4  15468  0t0  TCP 127.0.0.1:8953
> (LISTEN)
> tdeio_ima 3906  stekru8u  IPv4  19808  0t0  TCP
> 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED)
> dictd 4888   dictd   37u  IPv4  45627  0t0  TCP 127.0.0.1:2628
> (LISTEN)
> 
> > If that is a desktop machine, you should have a dns server somewere
> > in the network.. It could be that you have no arp cache, and it his
> > requesting everytime..
> 
> AIUI I have a ARP cache with one entry for the standard gateway of my
> ISP. See my original post. Is this normal or should there be more
> entries?
> 
> > Having dynamic dns services also doesn't help
> > much to your security, since they are one of the major risks braking
> > into computers.. And you seems to have configured some dynamic dns
> > services..
> 
> Are you saying running a local DNS resolver daemon like unbound is a
> security risk? And that the seemingly increased ARP traffic could be
> a symptom of this machine being hacked?

There is some misunderstanding: The ARP package has nothing to do with DNS. It 
basicly links MAC to IP - and you can do funny things with it. tcpdump just 
makes the name resolution for you, use "tcpdump -n" to go without it. e.g.:

# tcpdump -n
10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28
10:28:14.675980 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28

arp cache should only have as many entries as ather mac adresses are active in 
your part of the lan. If you are alone on your router, then it's just you 
routers mac in the cache.

nik

> 
> Kind regards,
> Stefan
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Hello Tux,

thanks for your reply.

"s@po"  schrieb am 12.10.2019 20:10:

> > Why would my machine send these requests?
>
> first of all, your machine seems to be the dns server, or you have
> static ips assigned?

Yes, unbound DNS resolver is running on this machine. No static IPs.

> # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}

I have a huge /etc/hosts file for blocking purposes. There are a
handful lines for IPs to the LAN like this which are not in use,
i.e. I have no LAN, only a laptop rarely connected to this machine:

$ head /etc/hosts
127.0.0.1   localhost
127.0.1.1   rubians
192.168.19.1rubians
192.168.19.2rubiana
192.168.19.3rubiano

$ cat /etc/resolv.conf
nameserver 127.0.0.1   # this is for unbound on localhost
nameserver 83.169.184.33  # ISP's name server
nameserver 83.169.184.97  # ISP's name server

$ ifconfig -a
lan0: flags=4099  mtu 1500
inet 192.168.19.1  netmask 255.255.255.0  broadcast
192.168.19.255
ether 00:21:85:02:91:b8  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

net0: flags=4163  mtu 1500
inet 91.65.138.120  netmask 255.255.255.0  broadcast
91.65.138.255
inet6 fe80::20e:2eff:fe09:19d2  prefixlen 64  scopeid 0x20
ether 00:0e:2e:09:19:d2  txqueuelen 1000  (Ethernet)
RX packets 544261  bytes 36150630 (34.4 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 9509  bytes 923017 (901.3 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

> Then, find the processes that are running with open sockets..
> Check which ones are running, and verify why..
> # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}

$ sudo tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on net0, link-type EN10MB (Ethernet), capture size 262144
bytes
09:25:00.272473 ARP, Request who-has
ip5b418c91.dynamic.kabel-deutschland.de tell
ip5b418cfe.dynamic.kabel-deutschland.de, length 46

$ nslookup ip5b418c91.dynamic.kabel-deutschland.de
Address: 91.65.140.145

$ lsof -nP -i4tcp@91.65.140.145
$ echo $?
1

Well, I can't seem to catch one - maybe I am too slow because the
connections are to short-lived?!

$ lsof -nP -i4tcp
COMMANDPIDUSER   FD   TYPE DEVICE SIZE/OFF NODE NAME
unbound   2924 unbound6u  IPv4  15462  0t0  TCP 127.0.0.1:53
(LISTEN)
unbound   2924 unbound   10u  IPv4  15466  0t0  TCP 127.0.0.1:53
(LISTEN)
unbound   2924 unbound   12u  IPv4  15468  0t0  TCP 127.0.0.1:8953
(LISTEN)
tdeio_ima 3906  stekru8u  IPv4  19808  0t0  TCP
91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED)
dictd 4888   dictd   37u  IPv4  45627  0t0  TCP 127.0.0.1:2628
(LISTEN)

> If that is a desktop machine, you should have a dns server somewere
> in the network.. It could be that you have no arp cache, and it his
> requesting everytime..

AIUI I have a ARP cache with one entry for the standard gateway of my
ISP. See my original post. Is this normal or should there be more
entries?

> Having dynamic dns services also doesn't help
> much to your security, since they are one of the major risks braking
> into computers.. And you seems to have configured some dynamic dns
> services..

Are you saying running a local DNS resolver daemon like unbound is a
security risk? And that the seemingly increased ARP traffic could be
a symptom of this machine being hacked?

Kind regards,
Stefan
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> > Any hint much appreciated.
>
> Please see:
> http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php And
> search for "arp spooing", this will reveal more funny details :)

Okay, this will take some time to understand… Thanks.

Stefan

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[s]

Hi Stefan,

> Yes, good guess! Tcpdump show lots of these messages:
> 
> 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de 
> tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
> 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de 
> tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
> 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de 
> tell ip5b418afe.dynamic.kabel-deutschland.de, length 46
> 
> But what does that mean? The addresses asked for all seem to 
> be from the pool of the IP addresses/domains which this ISP
> gives out.
> 
> $ nslookup ip5b418d68.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418d68.dynamic.kabel-deutschland.de
> Address: 91.65.141.104
> 
> $ nslookup ip5b418b24.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418b24.dynamic.kabel-deutschland.de
> Address: 91.65.139.36
> 
> $ nslookup ip5b418a98.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418a98.dynamic.kabel-deutschland.de
> Address: 91.65.138.152
> 
> $ whois 91.65.141.104   # output cut
> […]
> inetnum:91.65.0.0 - 91.65.255.255
> netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
> […]
> 
> Why would my machine send these requests?
> 

first of all, your machine seems to be the dns server, or you have static ips 
assigned?
# cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}
# ifconfig -a

Then, find the processes that are running with open sockets..
Check which ones are running, and verify why..
# lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}


If that is a desktop machine, you should have a dns server somewere in the 
network..
It could be that you have no arp cache, and it his requesting everytime..
Having dynamic dns services also doesn't help much to your security, since they 
are one of the major risks braking into computers..
And you seems to have configured some dynamic dns services..

Which it helps,
Best Regards,
Tux
-- 
tux 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Dr. Nikolaus Klepp]

Anno domini 2019 Sat, 12 Oct 17:03:29 +0200
 Stefan Krusche scripsit:
> Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> > Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell
> > ..." class of messages.
> 
> Yes, good guess! Tcpdump show lots of these messages:
> 
> 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de 
> tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
> 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de 
> tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
> 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de 
> tell ip5b418afe.dynamic.kabel-deutschland.de, length 46
> 
> But what does that mean? The addresses asked for all seem to 
> be from the pool of the IP addresses/domains which this ISP
> gives out.
> 
> $ nslookup ip5b418d68.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418d68.dynamic.kabel-deutschland.de
> Address: 91.65.141.104
> 
> $ nslookup ip5b418b24.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418b24.dynamic.kabel-deutschland.de
> Address: 91.65.139.36
> 
> $ nslookup ip5b418a98.dynamic.kabel-deutschland.de
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   ip5b418a98.dynamic.kabel-deutschland.de
> Address: 91.65.138.152
> 
> $ whois 91.65.141.104   # output cut
> […]
> inetnum:91.65.0.0 - 91.65.255.255
> netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
> […]
> 
> Why would my machine send these requests?
> 
> Any hint much appreciated.

Please see: http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php
And search for "arp spooing", this will reveal more funny details :)

Nik

> 
> Thanks again,
> Stefan
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell
> ..." class of messages.

Yes, good guess! Tcpdump show lots of these messages:

16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de 
tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de 
tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de 
tell ip5b418afe.dynamic.kabel-deutschland.de, length 46

But what does that mean? The addresses asked for all seem to 
be from the pool of the IP addresses/domains which this ISP
gives out.

$ nslookup ip5b418d68.dynamic.kabel-deutschland.de
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   ip5b418d68.dynamic.kabel-deutschland.de
Address: 91.65.141.104

$ nslookup ip5b418b24.dynamic.kabel-deutschland.de
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   ip5b418b24.dynamic.kabel-deutschland.de
Address: 91.65.139.36

$ nslookup ip5b418a98.dynamic.kabel-deutschland.de
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   ip5b418a98.dynamic.kabel-deutschland.de
Address: 91.65.138.152

$ whois 91.65.141.104   # output cut
[…]
inetnum:91.65.0.0 - 91.65.255.255
netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
[…]

Why would my machine send these requests?

Any hint much appreciated.

Thanks again,
Stefan
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp:
> Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell
> ..." class of messages.
>
> Nik

Thanks, Nik.

Cheers
Stefan

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Dr. Nikolaus Klepp]

Anno domini 2019 Sat, 12 Oct 16:09:47 +0200
 Stefan Krusche scripsit:
> Good day everyone,
> 
> since recently I noticed a very constant outgoing ARP traffic
> on my machine (desktop, Devuan ascii) of about 7K/s which I
> don't think was there before.
> 
> jnettop shows this:
> LOCAL <-> REMOTE  TXBPS   RXBPS 
> TOTALBPS
>  (IP)  PORT  PROTO  (IP)  PORT   TX  RX   
>  TOTAL
> UNKNOWNv4 <-> UNKNOWNv4 8.12K/s0b/s  
> 8.12K/s
>  0.0.0.0  0ARP  0.0.0.0  0 149K  0b   
>   149K
> 
> 
> arp cache shows this which is the standard gateway of my ISP:
> $ arp -n
> Address  HWtype  HWaddress   Flags Mask
> Iface
> 91.65.138.254ether   00:17:10:9a:24:a8   C 
> net0
> 
> 
> What can I do to further investigate where this comes from
> or how to stop it? Please advise or explain to a total network
> novice.

Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell ..." class 
of messages.

Nik

> 
> Thanks and kind regards,
> Stefan
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s

[Stefan Krusche]

Good day everyone,

since recently I noticed a very constant outgoing ARP traffic
on my machine (desktop, Devuan ascii) of about 7K/s which I
don't think was there before.

jnettop shows this:
LOCAL <-> REMOTE  TXBPS   RXBPS 
TOTALBPS
 (IP)  PORT  PROTO  (IP)  PORT   TX  RX
TOTAL
UNKNOWNv4 <-> UNKNOWNv4 8.12K/s0b/s  
8.12K/s
 0.0.0.0  0ARP  0.0.0.0  0 149K  0b 
149K


arp cache shows this which is the standard gateway of my ISP:
$ arp -n
Address  HWtype  HWaddress   Flags MaskIface
91.65.138.254ether   00:17:10:9a:24:a8   C net0


What can I do to further investigate where this comes from
or how to stop it? Please advise or explain to a total network
novice.

Thanks and kind regards,
Stefan
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng