rsewill at cableone.net
Thu Jun 21 09:17:26 UTC 2007
On Thu, 2007-06-21 at 08:15 +0200, Manuel Arostegui Ramirez wrote:
> El Jueves, 21 de Junio de 2007 03:34, Rick Sewill escribió:
> > I suspect these ARP requests are caused by botnets, on the Internet,
> > scanning IP address ranges for PCs to compromise. There is a steady
> > bombardment of Microsoft Messenger Service, NetrSendMessage requests to
> > UDP port 1026, coming to my IP address. Lucky for me, Fedora discards
> > the message and no response is generated. The botnets do not give up.
> Maybe I'm not understanding what you mean there but....how can botnets make
> ARP questions through the internet?
> As far as I know ARP requests are only made in LANs and it's impossible for
> its to pass a router and reach the Internet.
You are correct. ARP requests are used on a broadcast interface to
discover the association between an IP address and a MAC address. ARP
requests are not passed on by a router. Let me explain.
First, I wish to tell what I am currently seeing on my internet
connection. Next, I will guess, why I am seeing what I see.
It is 3:10 a.m., my time. One would expect my connection to the cable
company to be relatively quiet. I just ran wireshark for 41 seconds.
I got 1871 ARP requests, 1870 were from the Cable company, and one was
from a device with a Motorola (OID) MAC address.
I also got 31 regular IP packets, of which 5 were TCP and 26 were UDP.
Of the UDP packets.
I originated one TCP packet. The other 4 came to me.
Sixteen of the UDP packets were unicast to me, to my port 6881, which is
weird. UDP port 6881 is a bittorrent port. I admit to seeding Fedora
7, but that was a few days ago. Iptables, by default, discards all
packets I receive on port 6881, unless I explicitly open ports.
The other ten UDP packets were DHCP offers, and DHCP acks, directed to
the 255.255.255.255 broadcast address.
The sender of all the DHCP packets, and the 1870 ARP requests, that I
saw, had the same ethernet MAC source address.
I did not see any NetrSendMessage during that 41 second interval. The
NetrSendMessage messages are UDP packets destined to port 1026. I had
seen the NetrSendMessage yesterday afternoon. I never have a Windows
machine connected to that interface so there is no reason a packet
specific to a Microsoft protocol should come to that interface.
I am guessing botnets are sending these IP packets, on UDP port 6881,
and UDP port 1026, to every IP address in a range of IP addresses.
In the case of the cable companies, I believe they treat the cable like
it is a broadcast interface. I believe they ARP for that IP address to
get the MAC address for that machine. I get these ARP requests because
they are broadcast to me and to everyone with whom I share the cable.
I actually don't see the logic to cable companies doing this.
Cable companies should know the MAC address associated with my IP
address. Either the cable company assigned my IP address, in the case
of a dynamic IP address, or the cable company statically configured my
IP address, in the case of certain business accounts. I pay a flat rate
which means the cable company does not need to know if my machine is on
or off as far as billing is concerned. I am allowed a finite number of
IP addresses, three, so the cable company has to know the number of
devices connected to my cable modem.
The telephone companies should do a better job. I do not believe the
telephone companies treat their wire as a broadcast interface. I have
not had the opportunity to hook a network sniffer up to a telephone
company wire to see what they do.
If the cable company is spewing forth all that traffic, without any
prompting from botnets, and without any prompting from me, one might
think the cable company software were in need of repair.
> Manuel Arostegui Ramirez.
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070621/0e5ef145/attachment-0002.bin
More information about the users