Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
On 10/12/19 5:03 PM, Stefan Krusche wrote: Why would my machine send these requests? Any hint much appreciated. That's not your machine, it's the next hop in the network segment Vodafone (formerly Kabel Deutschland) uses. It's the same here: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 91.65.125.254 0.0.0.0 UG0 00 eth2 Seems we may be in the same segment, where you coming from, if i may ask? Daniel ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi mett, > > Hi, > > if this is really outgoing arp request, > maybe ur default route is not properly > configured. > Like u have no next-hop address, > only an outgoing interface as a default > route: > > ip route default dev en0 > > instead of > > ip route default via 91.sm.th.ing dev en0 > > In that case, ur host think every hosts is attached to it, and therefore arp > for each > host. > > I said if bc what u showed didn t seem > coming from ur host. > > Can u verify that all the arp requests > are from ur host? > ie. the outgoing interface, en0 if i > understood properly > (the interface with a public ip address). > > hth Exactly, it could be indeed a routing problem, since he own 2 networks, he need to route the dns trafic via public interface 'en0'.. But the thing is, he will need 2 default gateways.. one for the public network '91.65.138.0/??'( what you designated as default gateway.. ), And 1 for the internal private network '192.168.19.0/24'( delivering dhcp, and the dns cache queries, he cache on that machine.. ) He can acomplish that in debian, You need to do it using 'policy routing'( redhat permited to bound a routing table directly to a interface.. I think I already saw that in debian too, but its not the same thing.. do this solution isa bit more dificult.. ) For that, see 'https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System' or 'https://unix.stackexchange.com/questions/35713/adding-two-default-gateways-in-debian-interfaces-file/35822' You should see after creating a new routing table, and assign routing rules, that you have 2 default gateways, one for public trafic and one for private.. But...IF he doesn't own, or contact that machine( 'ip5b418c91.dynamic.kabel-deutschland.de - 91.65.140.145' ), why is it trying to know its mac address?? It could even be that the master dns server is down, or unreachable and he needs to contact the slave server.. don'ty know But, I think that this was is first question.. Best Regards -- tux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi Stefan, > > first of all, your machine seems to be the dns server, or you have > > static ips assigned? > > Yes, unbound DNS resolver is running on this machine. No static IPs. > You have a public dynamic IP, I assume. So you are in the domain: 'dynamic.kabel-deutschland.de' but by what I see, that domain is a /24 or not?? you: FQDN: ip5b418cfe.dynamic.kabel-deutschland.de IP: 91.65.138.120/24 Someone else: FQDN: ip5b418c91.dynamic.kabel-deutschland.de IP: 91.65.140.145 /24?? something strange, you have 2 diferent *public* networks in the same domain? Another things.. Are you trying to have 2 machines conected with a foreign dynamic dns service, ex: like 'https://www.noip.com/free' ? > $ sudo tcpdump > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 > bytes > 09:25:00.272473 ARP, Request who-has > ip5b418c91.dynamic.kabel-deutschland.de tell > ip5b418cfe.dynamic.kabel-deutschland.de, length 46 > who is 'ip5b418c91.dynamic.kabel-deutschland.de' ?? its other machine of yours? do a : arping 91.65.140.145 check the mac address, compare with any one of yours.. > $ nslookup ip5b418c91.dynamic.kabel-deutschland.de > Address: 91.65.140.145 its a diferent network than yours but they have exactly the same domain..weird ?? what is the dns server that responds to that request? should be: '83.169.184.33' > AIUI I have a ARP cache with one entry for the standard gateway of my > ISP. See my original post. Is this normal or should there be more > entries? > any ip address of your network should be there( 192.168.19.2,192.168.19.3 ?? ), but if none contacted then its ok.. > Are you saying running a local DNS resolver daemon like unbound is a > security risk? And that the seemingly increased ARP traffic could be > a symptom of this machine being hacked? > No, I don't even know what is 'unbound'.. But if you are using a external service, depending of the type of external dynamic dns services, yes, I already was some 15 years ago, using 'https://www.noip.com/free', I already saw tons of cases like mine, out there( they don't offer you a dynamic dns service for free... free for them, means your information is selled in the black market...they need to make money.. no one offers free services.. ).. But doesn't mean you are the case here..( I don't even know what is the domain 'dynamic.kabel-deutschland.de'.. ) Your machine is acting as a DNS cache server for the network 192.168.19.0/24, for what it seems.. -- Best Regards, tux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
On 2019年10月13日 18:24:54 JST, "Dr. Nikolaus Klepp" wrote: >Anno domini 2019 Sun, 13 Oct 10:47:30 +0200 > Stefan Krusche scripsit: >> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: >> > There is some misunderstanding: The ARP package has nothing to do >> > with DNS. >> >> That's what I've been thinking and why I asked. >> >> > It basicly links MAC to IP - and you can do funny things >> > with it. >> >> Okay, I still can't seem to connect the dots… >> >> > tcpdump just makes the name resolution for you, use "tcpdump >> > -n" to go without it. e.g.: >> > >> > # tcpdump -n >> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell >192.168.1.1, >> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at >> > 00:1b:77:53:6c:43, length 28 >> >> Alright. What attracts my attention is, that here length is 28 just >> like the ARP message format is explained on the site you recommended >> where it is 46 on my machine: >> >> $ sudo tcpdump -n >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >decode >> listening on net0, link-type EN10MB (Ethernet), capture size 262144 >bytes >> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell >91.65.142.254, length 46 >> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, >length 46 >> >> Is this relevant in any way related to exaggerated ARP requests? > >My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet >size, but it's padded for ethernet minmum frame: >https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet > >You can ask tcpdump to give you a hex dump of the packets and >investigate: ># tcpdump -nx > >11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, >length 28 > 0x: 0001 0800 0604 0001 c493 0007 4ca5 c0a8 > 0x0010: 0101 c0a8 01be >11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, >length 28 > 0x: 0001 0800 0604 0002 001b 7753 6c43 c0a8 > 0x0010: 01be c493 0007 4ca5 c0a8 0101 > > >> >> > arp cache should only have as many entries as ather mac adresses >are >> > active in your part of the lan. If you are alone on your router, >then >> > it's just you routers mac in the cache. >> >> This seems to be the case (see OP). >> >> Thank you, Nik. >> >> Stefan >> >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng >> > > > >-- >Please do not email me anything that you are not comfortable also >sharing with the NSA, CIA ... >___ >Dng mailing list >Dng@lists.dyne.org >https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Hi, if this is really outgoing arp request, maybe ur default route is not properly configured. Like u have no next-hop address, only an outgoing interface as a default route: ip route default dev en0 instead of ip route default via 91.sm.th.ing dev en0 In that case, ur host think every hosts is attached to it, and therefore arp for each host. I said if bc what u showed didn t seem coming from ur host. Can u verify that all the arp requests are from ur host? ie. the outgoing interface, en0 if i understood properly (the interface with a public ip address). hth___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:47:30 +0200 Stefan Krusche scripsit: > Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: > > There is some misunderstanding: The ARP package has nothing to do > > with DNS. > > That's what I've been thinking and why I asked. > > > It basicly links MAC to IP - and you can do funny things > > with it. > > Okay, I still can't seem to connect the dots… > > > tcpdump just makes the name resolution for you, use "tcpdump > > -n" to go without it. e.g.: > > > > # tcpdump -n > > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, > > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at > > 00:1b:77:53:6c:43, length 28 > > Alright. What attracts my attention is, that here length is 28 just > like the ARP message format is explained on the site you recommended > where it is 46 on my machine: > > $ sudo tcpdump -n > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes > 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length > 46 > 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46 > > Is this relevant in any way related to exaggerated ARP requests? My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet size, but it's padded for ethernet minmum frame: https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet You can ask tcpdump to give you a hex dump of the packets and investigate: # tcpdump -nx 11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28 0x: 0001 0800 0604 0001 c493 0007 4ca5 c0a8 0x0010: 0101 c0a8 01be 11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28 0x: 0001 0800 0604 0002 001b 7753 6c43 c0a8 0x0010: 01be c493 0007 4ca5 c0a8 0101 > > > arp cache should only have as many entries as ather mac adresses are > > active in your part of the lan. If you are alone on your router, then > > it's just you routers mac in the cache. > > This seems to be the case (see OP). > > Thank you, Nik. > > Stefan > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: > There is some misunderstanding: The ARP package has nothing to do > with DNS. That's what I've been thinking and why I asked. > It basicly links MAC to IP - and you can do funny things > with it. Okay, I still can't seem to connect the dots… > tcpdump just makes the name resolution for you, use "tcpdump > -n" to go without it. e.g.: > > # tcpdump -n > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at > 00:1b:77:53:6c:43, length 28 Alright. What attracts my attention is, that here length is 28 just like the ARP message format is explained on the site you recommended where it is 46 on my machine: $ sudo tcpdump -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 46 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46 Is this relevant in any way related to exaggerated ARP requests? > arp cache should only have as many entries as ather mac adresses are > active in your part of the lan. If you are alone on your router, then > it's just you routers mac in the cache. This seems to be the case (see OP). Thank you, Nik. Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:13:31 +0200 Stefan Krusche scripsit: > Hello Tux, > > thanks for your reply. > > "s@po" schrieb am 12.10.2019 20:10: > > > > Why would my machine send these requests? > > > > first of all, your machine seems to be the dns server, or you have > > static ips assigned? > > Yes, unbound DNS resolver is running on this machine. No static IPs. > > > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} > > I have a huge /etc/hosts file for blocking purposes. There are a > handful lines for IPs to the LAN like this which are not in use, > i.e. I have no LAN, only a laptop rarely connected to this machine: > > $ head /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 rubians > 192.168.19.1rubians > 192.168.19.2rubiana > 192.168.19.3rubiano > > $ cat /etc/resolv.conf > nameserver 127.0.0.1 # this is for unbound on localhost > nameserver 83.169.184.33 # ISP's name server > nameserver 83.169.184.97 # ISP's name server > > $ ifconfig -a > lan0: flags=4099 mtu 1500 > inet 192.168.19.1 netmask 255.255.255.0 broadcast > 192.168.19.255 > ether 00:21:85:02:91:b8 txqueuelen 1000 (Ethernet) > RX packets 0 bytes 0 (0.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 0 bytes 0 (0.0 B) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > net0: flags=4163 mtu 1500 > inet 91.65.138.120 netmask 255.255.255.0 broadcast > 91.65.138.255 > inet6 fe80::20e:2eff:fe09:19d2 prefixlen 64 scopeid 0x20 > ether 00:0e:2e:09:19:d2 txqueuelen 1000 (Ethernet) > RX packets 544261 bytes 36150630 (34.4 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 9509 bytes 923017 (901.3 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > Then, find the processes that are running with open sockets.. > > Check which ones are running, and verify why.. > > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} > > $ sudo tcpdump > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 > bytes > 09:25:00.272473 ARP, Request who-has > ip5b418c91.dynamic.kabel-deutschland.de tell > ip5b418cfe.dynamic.kabel-deutschland.de, length 46 > > $ nslookup ip5b418c91.dynamic.kabel-deutschland.de > Address: 91.65.140.145 > > $ lsof -nP -i4tcp@91.65.140.145 > $ echo $? > 1 > > Well, I can't seem to catch one - maybe I am too slow because the > connections are to short-lived?! > > $ lsof -nP -i4tcp > COMMANDPIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME > unbound 2924 unbound6u IPv4 15462 0t0 TCP 127.0.0.1:53 > (LISTEN) > unbound 2924 unbound 10u IPv4 15466 0t0 TCP 127.0.0.1:53 > (LISTEN) > unbound 2924 unbound 12u IPv4 15468 0t0 TCP 127.0.0.1:8953 > (LISTEN) > tdeio_ima 3906 stekru8u IPv4 19808 0t0 TCP > 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED) > dictd 4888 dictd 37u IPv4 45627 0t0 TCP 127.0.0.1:2628 > (LISTEN) > > > If that is a desktop machine, you should have a dns server somewere > > in the network.. It could be that you have no arp cache, and it his > > requesting everytime.. > > AIUI I have a ARP cache with one entry for the standard gateway of my > ISP. See my original post. Is this normal or should there be more > entries? > > > Having dynamic dns services also doesn't help > > much to your security, since they are one of the major risks braking > > into computers.. And you seems to have configured some dynamic dns > > services.. > > Are you saying running a local DNS resolver daemon like unbound is a > security risk? And that the seemingly increased ARP traffic could be > a symptom of this machine being hacked? There is some misunderstanding: The ARP package has nothing to do with DNS. It basicly links MAC to IP - and you can do funny things with it. tcpdump just makes the name resolution for you, use "tcpdump -n" to go without it. e.g.: # tcpdump -n 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28 arp cache should only have as many entries as ather mac adresses are active in your part of the lan. If you are alone on your router, then it's just you routers mac in the cache. nik > > Kind regards, > Stefan > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hello Tux, thanks for your reply. "s@po" schrieb am 12.10.2019 20:10: > > Why would my machine send these requests? > > first of all, your machine seems to be the dns server, or you have > static ips assigned? Yes, unbound DNS resolver is running on this machine. No static IPs. > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} I have a huge /etc/hosts file for blocking purposes. There are a handful lines for IPs to the LAN like this which are not in use, i.e. I have no LAN, only a laptop rarely connected to this machine: $ head /etc/hosts 127.0.0.1 localhost 127.0.1.1 rubians 192.168.19.1rubians 192.168.19.2rubiana 192.168.19.3rubiano $ cat /etc/resolv.conf nameserver 127.0.0.1 # this is for unbound on localhost nameserver 83.169.184.33 # ISP's name server nameserver 83.169.184.97 # ISP's name server $ ifconfig -a lan0: flags=4099 mtu 1500 inet 192.168.19.1 netmask 255.255.255.0 broadcast 192.168.19.255 ether 00:21:85:02:91:b8 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 net0: flags=4163 mtu 1500 inet 91.65.138.120 netmask 255.255.255.0 broadcast 91.65.138.255 inet6 fe80::20e:2eff:fe09:19d2 prefixlen 64 scopeid 0x20 ether 00:0e:2e:09:19:d2 txqueuelen 1000 (Ethernet) RX packets 544261 bytes 36150630 (34.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9509 bytes 923017 (901.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > Then, find the processes that are running with open sockets.. > Check which ones are running, and verify why.. > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} $ sudo tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:25:00.272473 ARP, Request who-has ip5b418c91.dynamic.kabel-deutschland.de tell ip5b418cfe.dynamic.kabel-deutschland.de, length 46 $ nslookup ip5b418c91.dynamic.kabel-deutschland.de Address: 91.65.140.145 $ lsof -nP -i4tcp@91.65.140.145 $ echo $? 1 Well, I can't seem to catch one - maybe I am too slow because the connections are to short-lived?! $ lsof -nP -i4tcp COMMANDPIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME unbound 2924 unbound6u IPv4 15462 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 10u IPv4 15466 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 12u IPv4 15468 0t0 TCP 127.0.0.1:8953 (LISTEN) tdeio_ima 3906 stekru8u IPv4 19808 0t0 TCP 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED) dictd 4888 dictd 37u IPv4 45627 0t0 TCP 127.0.0.1:2628 (LISTEN) > If that is a desktop machine, you should have a dns server somewere > in the network.. It could be that you have no arp cache, and it his > requesting everytime.. AIUI I have a ARP cache with one entry for the standard gateway of my ISP. See my original post. Is this normal or should there be more entries? > Having dynamic dns services also doesn't help > much to your security, since they are one of the major risks braking > into computers.. And you seems to have configured some dynamic dns > services.. Are you saying running a local DNS resolver daemon like unbound is a security risk? And that the seemingly increased ARP traffic could be a symptom of this machine being hacked? Kind regards, Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp: > > Any hint much appreciated. > > Please see: > http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php And > search for "arp spooing", this will reveal more funny details :) Okay, this will take some time to understand… Thanks. Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi Stefan, > Yes, good guess! Tcpdump show lots of these messages: > > 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de > tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46 > 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de > tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46 > 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de > tell ip5b418afe.dynamic.kabel-deutschland.de, length 46 > > But what does that mean? The addresses asked for all seem to > be from the pool of the IP addresses/domains which this ISP > gives out. > > $ nslookup ip5b418d68.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418d68.dynamic.kabel-deutschland.de > Address: 91.65.141.104 > > $ nslookup ip5b418b24.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418b24.dynamic.kabel-deutschland.de > Address: 91.65.139.36 > > $ nslookup ip5b418a98.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418a98.dynamic.kabel-deutschland.de > Address: 91.65.138.152 > > $ whois 91.65.141.104 # output cut > […] > inetnum:91.65.0.0 - 91.65.255.255 > netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14 > […] > > Why would my machine send these requests? > first of all, your machine seems to be the dns server, or you have static ips assigned? # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} # ifconfig -a Then, find the processes that are running with open sockets.. Check which ones are running, and verify why.. # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} If that is a desktop machine, you should have a dns server somewere in the network.. It could be that you have no arp cache, and it his requesting everytime.. Having dynamic dns services also doesn't help much to your security, since they are one of the major risks braking into computers.. And you seems to have configured some dynamic dns services.. Which it helps, Best Regards, Tux -- tux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sat, 12 Oct 17:03:29 +0200 Stefan Krusche scripsit: > Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp: > > Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell > > ..." class of messages. > > Yes, good guess! Tcpdump show lots of these messages: > > 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de > tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46 > 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de > tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46 > 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de > tell ip5b418afe.dynamic.kabel-deutschland.de, length 46 > > But what does that mean? The addresses asked for all seem to > be from the pool of the IP addresses/domains which this ISP > gives out. > > $ nslookup ip5b418d68.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418d68.dynamic.kabel-deutschland.de > Address: 91.65.141.104 > > $ nslookup ip5b418b24.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418b24.dynamic.kabel-deutschland.de > Address: 91.65.139.36 > > $ nslookup ip5b418a98.dynamic.kabel-deutschland.de > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Non-authoritative answer: > Name: ip5b418a98.dynamic.kabel-deutschland.de > Address: 91.65.138.152 > > $ whois 91.65.141.104 # output cut > […] > inetnum:91.65.0.0 - 91.65.255.255 > netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14 > […] > > Why would my machine send these requests? > > Any hint much appreciated. Please see: http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php And search for "arp spooing", this will reveal more funny details :) Nik > > Thanks again, > Stefan > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp: > Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell > ..." class of messages. Yes, good guess! Tcpdump show lots of these messages: 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de tell ip5b418afe.dynamic.kabel-deutschland.de, length 46 But what does that mean? The addresses asked for all seem to be from the pool of the IP addresses/domains which this ISP gives out. $ nslookup ip5b418d68.dynamic.kabel-deutschland.de Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: ip5b418d68.dynamic.kabel-deutschland.de Address: 91.65.141.104 $ nslookup ip5b418b24.dynamic.kabel-deutschland.de Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: ip5b418b24.dynamic.kabel-deutschland.de Address: 91.65.139.36 $ nslookup ip5b418a98.dynamic.kabel-deutschland.de Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: ip5b418a98.dynamic.kabel-deutschland.de Address: 91.65.138.152 $ whois 91.65.141.104 # output cut […] inetnum:91.65.0.0 - 91.65.255.255 netname:KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14 […] Why would my machine send these requests? Any hint much appreciated. Thanks again, Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp: > Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell > ..." class of messages. > > Nik Thanks, Nik. Cheers Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sat, 12 Oct 16:09:47 +0200 Stefan Krusche scripsit: > Good day everyone, > > since recently I noticed a very constant outgoing ARP traffic > on my machine (desktop, Devuan ascii) of about 7K/s which I > don't think was there before. > > jnettop shows this: > LOCAL <-> REMOTE TXBPS RXBPS > TOTALBPS > (IP) PORT PROTO (IP) PORT TX RX > TOTAL > UNKNOWNv4 <-> UNKNOWNv4 8.12K/s0b/s > 8.12K/s > 0.0.0.0 0ARP 0.0.0.0 0 149K 0b > 149K > > > arp cache shows this which is the standard gateway of my ISP: > $ arp -n > Address HWtype HWaddress Flags Mask > Iface > 91.65.138.254ether 00:17:10:9a:24:a8 C > net0 > > > What can I do to further investigate where this comes from > or how to stop it? Please advise or explain to a total network > novice. Install wireshark or tcpdump. Guess it's the "arp-who-has ... tell ..." class of messages. Nik > > Thanks and kind regards, > Stefan > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng