:: Re: [DNG] how to investigate consta…
Pàgina inicial
Delete this message
Reply to this message
Autor: Stefan Krusche
Data:  
A: dng
Assumpte: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hello Tux,

thanks for your reply.

"s@po" <tuxd3v@???> schrieb am 12.10.2019 20:10:

> > Why would my machine send these requests?
>
> first of all, your machine seems to be the dns server, or you have
> static ips assigned?


Yes, unbound DNS resolver is running on this machine. No static IPs.

> # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}


I have a huge /etc/hosts file for blocking purposes. There are a
handful lines for IPs to the LAN like this which are not in use,
i.e. I have no LAN, only a laptop rarely connected to this machine:

$ head /etc/hosts
127.0.0.1       localhost
127.0.1.1       rubians
192.168.19.1    rubians
192.168.19.2    rubiana
192.168.19.3    rubiano


$ cat /etc/resolv.conf
nameserver 127.0.0.1 # this is for unbound on localhost
nameserver 83.169.184.33 # ISP's name server
nameserver 83.169.184.97 # ISP's name server

$ ifconfig -a
lan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.19.1  netmask 255.255.255.0  broadcast
192.168.19.255
        ether 00:21:85:02:91:b8  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


net0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 91.65.138.120  netmask 255.255.255.0  broadcast
91.65.138.255
        inet6 fe80::20e:2eff:fe09:19d2  prefixlen 64  scopeid 0x20<link>
        ether 00:0e:2e:09:19:d2  txqueuelen 1000  (Ethernet)
        RX packets 544261  bytes 36150630 (34.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9509  bytes 923017 (901.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


> Then, find the processes that are running with open sockets..
> Check which ones are running, and verify why..
> # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}


$ sudo tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on net0, link-type EN10MB (Ethernet), capture size 262144
bytes
09:25:00.272473 ARP, Request who-has
ip5b418c91.dynamic.kabel-deutschland.de tell
ip5b418cfe.dynamic.kabel-deutschland.de, length 46

$ nslookup ip5b418c91.dynamic.kabel-deutschland.de
Address: 91.65.140.145

$ lsof -nP -i4tcp@91.65.140.145
$ echo $?
1

Well, I can't seem to catch one - maybe I am too slow because the
connections are to short-lived?!

$ lsof -nP -i4tcp
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
unbound   2924 unbound    6u  IPv4  15462      0t0  TCP 127.0.0.1:53
(LISTEN)
unbound   2924 unbound   10u  IPv4  15466      0t0  TCP 127.0.0.1:53
(LISTEN)
unbound   2924 unbound   12u  IPv4  15468      0t0  TCP 127.0.0.1:8953
(LISTEN)
tdeio_ima 3906  stekru    8u  IPv4  19808      0t0  TCP
91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED)
dictd     4888   dictd   37u  IPv4  45627      0t0  TCP 127.0.0.1:2628
(LISTEN)


> If that is a desktop machine, you should have a dns server somewere
> in the network.. It could be that you have no arp cache, and it his
> requesting everytime..


AIUI I have a ARP cache with one entry for the standard gateway of my
ISP. See my original post. Is this normal or should there be more
entries?

> Having dynamic dns services also doesn't help
> much to your security, since they are one of the major risks braking
> into computers.. And you seems to have configured some dynamic dns
> services..


Are you saying running a local DNS resolver daemon like unbound is a
security risk? And that the seemingly increased ARP traffic could be
a symptom of this machine being hacked?

Kind regards,
Stefan