:: Re: [DNG] how to investigate consta…
Top Pagina
Delete this message
Reply to this message
Auteur: s
Datum:  
Aan: Stefan Krusche
CC: dng
Onderwerp: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi Stefan,

> Yes, good guess! Tcpdump show lots of these messages:
>
> 16:47:40.633536 ARP, Request who-has ip5b418d68.dynamic.kabel-deutschland.de tell ip5b418dfe.dynamic.kabel-deutschland.de, length 46
> 16:47:40.821784 ARP, Request who-has ip5b418b24.dynamic.kabel-deutschland.de tell ip5b418bfe.dynamic.kabel-deutschland.de, length 46
> 16:47:41.006438 ARP, Request who-has ip5b418a98.dynamic.kabel-deutschland.de tell ip5b418afe.dynamic.kabel-deutschland.de, length 46
>
> But what does that mean? The addresses asked for all seem to
> be from the pool of the IP addresses/domains which this ISP
> gives out.
>
> $ nslookup ip5b418d68.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418d68.dynamic.kabel-deutschland.de
> Address: 91.65.141.104
>
> $ nslookup ip5b418b24.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418b24.dynamic.kabel-deutschland.de
> Address: 91.65.139.36
>
> $ nslookup ip5b418a98.dynamic.kabel-deutschland.de
> Server:         127.0.0.1
> Address:        127.0.0.1#53

>
> Non-authoritative answer:
> Name: ip5b418a98.dynamic.kabel-deutschland.de
> Address: 91.65.138.152
>
> $ whois 91.65.141.104   # output cut
> […]
> inetnum:        91.65.0.0 - 91.65.255.255
> netname:        KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-14
> […]

>
> Why would my machine send these requests?
>


first of all, your machine seems to be the dns server, or you have static ips assigned?
# cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}
# ifconfig -a

Then, find the processes that are running with open sockets..
Check which ones are running, and verify why..
# lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}


If that is a desktop machine, you should have a dns server somewere in the network..
It could be that you have no arp cache, and it his requesting everytime..
Having dynamic dns services also doesn't help much to your security, since they are one of the major risks braking into computers..
And you seems to have configured some dynamic dns services..

Which it helps,
Best Regards,
Tux
--
tux <tuxd3v@???>