Manuel Arostegui Ramirez
manuel at todo-linux.com
Thu Jun 21 09:33:00 UTC 2007
On Thursday 21 June 2007 11:17:26 Rick Sewill wrote:
> On Thu, 2007-06-21 at 08:15 +0200, Manuel Arostegui Ramirez wrote:
> > El Jueves, 21 de Junio de 2007 03:34, Rick Sewill escribió:
> > > I suspect these ARP requests are caused by botnets, on the Internet,
> > > scanning IP address ranges for PCs to compromise. There is a steady
> > > bombardment of Microsoft Messenger Service, NetrSendMessage requests to
> > > UDP port 1026, coming to my IP address. Lucky for me, Fedora discards
> > > the message and no response is generated. The botnets do not give up.
> > Maybe I'm not understanding what you mean there but....how can botnets
> > make ARP questions through the internet?
> > As far as I know ARP requests are only made in LANs and it's impossible
> > for its to pass a router and reach the Internet.
> You are correct. ARP requests are used on a broadcast interface to
> discover the association between an IP address and a MAC address. ARP
> requests are not passed on by a router. Let me explain.
> First, I wish to tell what I am currently seeing on my internet
> connection. Next, I will guess, why I am seeing what I see.
> It is 3:10 a.m., my time. One would expect my connection to the cable
> company to be relatively quiet. I just ran wireshark for 41 seconds.
> I got 1871 ARP requests, 1870 were from the Cable company, and one was
> from a device with a Motorola (OID) MAC address.
> I also got 31 regular IP packets, of which 5 were TCP and 26 were UDP.
> Of the UDP packets.
> I originated one TCP packet. The other 4 came to me.
> Sixteen of the UDP packets were unicast to me, to my port 6881, which is
> weird. UDP port 6881 is a bittorrent port. I admit to seeding Fedora
> 7, but that was a few days ago. Iptables, by default, discards all
> packets I receive on port 6881, unless I explicitly open ports.
> The other ten UDP packets were DHCP offers, and DHCP acks, directed to
> the 255.255.255.255 broadcast address.
> The sender of all the DHCP packets, and the 1870 ARP requests, that I
> saw, had the same ethernet MAC source address.
> I did not see any NetrSendMessage during that 41 second interval. The
> NetrSendMessage messages are UDP packets destined to port 1026. I had
> seen the NetrSendMessage yesterday afternoon. I never have a Windows
> machine connected to that interface so there is no reason a packet
> specific to a Microsoft protocol should come to that interface.
> I am guessing botnets are sending these IP packets, on UDP port 6881,
> and UDP port 1026, to every IP address in a range of IP addresses.
> In the case of the cable companies, I believe they treat the cable like
> it is a broadcast interface. I believe they ARP for that IP address to
> get the MAC address for that machine. I get these ARP requests because
> they are broadcast to me and to everyone with whom I share the cable.
> I actually don't see the logic to cable companies doing this.
> Cable companies should know the MAC address associated with my IP
> address. Either the cable company assigned my IP address, in the case
> of a dynamic IP address, or the cable company statically configured my
> IP address, in the case of certain business accounts. I pay a flat rate
> which means the cable company does not need to know if my machine is on
> or off as far as billing is concerned. I am allowed a finite number of
> IP addresses, three, so the cable company has to know the number of
> devices connected to my cable modem.
> The telephone companies should do a better job. I do not believe the
> telephone companies treat their wire as a broadcast interface. I have
> not had the opportunity to hook a network sniffer up to a telephone
> company wire to see what they do.
> If the cable company is spewing forth all that traffic, without any
> prompting from botnets, and without any prompting from me, one might
> think the cable company software were in need of repair.
Nice explanation, now it's much more clear :-)
I forgot you were using a Cable connection, therefore all of the above is
reasonable, since they treat all their users as a part of a huge LAN.
I agree with you that that's not the best way to magane all their clients,
specially if we think about security...
It's the same in Spain, I was using a Cable connection (I will not give names)
very common here and it was such a laugh if we talk about security...
It was almost just a big LAN, no more...sad but true, though...
On the other hand...can you complain about that to your Cable ISP?
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the fedora-list