:: Re: [DNG] how to investigate consta…
Top Page
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:13:31 +0200
Stefan Krusche scripsit:
> Hello Tux,
>
> thanks for your reply.
>
> "s@po" <tuxd3v@???> schrieb am 12.10.2019 20:10:
>
> > > Why would my machine send these requests?
> >
> > first of all, your machine seems to be the dns server, or you have
> > static ips assigned?
>
> Yes, unbound DNS resolver is running on this machine. No static IPs.
>
> > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces}
>
> I have a huge /etc/hosts file for blocking purposes. There are a
> handful lines for IPs to the LAN like this which are not in use,
> i.e. I have no LAN, only a laptop rarely connected to this machine:
>
> $ head /etc/hosts
> 127.0.0.1       localhost
> 127.0.1.1       rubians
> 192.168.19.1    rubians
> 192.168.19.2    rubiana
> 192.168.19.3    rubiano

>
> $ cat /etc/resolv.conf
> nameserver 127.0.0.1 # this is for unbound on localhost
> nameserver 83.169.184.33 # ISP's name server
> nameserver 83.169.184.97 # ISP's name server
>
> $ ifconfig -a
> lan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
>         inet 192.168.19.1  netmask 255.255.255.0  broadcast
> 192.168.19.255
>         ether 00:21:85:02:91:b8  txqueuelen 1000  (Ethernet)
>         RX packets 0  bytes 0 (0.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 0  bytes 0 (0.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

>
> net0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 91.65.138.120  netmask 255.255.255.0  broadcast
> 91.65.138.255
>         inet6 fe80::20e:2eff:fe09:19d2  prefixlen 64  scopeid 0x20<link>
>         ether 00:0e:2e:09:19:d2  txqueuelen 1000  (Ethernet)
>         RX packets 544261  bytes 36150630 (34.4 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 9509  bytes 923017 (901.3 KiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

>
> > Then, find the processes that are running with open sockets..
> > Check which ones are running, and verify why..
> > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152}
>
> $ sudo tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 09:25:00.272473 ARP, Request who-has
> ip5b418c91.dynamic.kabel-deutschland.de tell
> ip5b418cfe.dynamic.kabel-deutschland.de, length 46
>
> $ nslookup ip5b418c91.dynamic.kabel-deutschland.de
> Address: 91.65.140.145
>
> $ lsof -nP -i4tcp@91.65.140.145
> $ echo $?
> 1
>
> Well, I can't seem to catch one - maybe I am too slow because the
> connections are to short-lived?!
>
> $ lsof -nP -i4tcp
> COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> unbound   2924 unbound    6u  IPv4  15462      0t0  TCP 127.0.0.1:53
> (LISTEN)
> unbound   2924 unbound   10u  IPv4  15466      0t0  TCP 127.0.0.1:53
> (LISTEN)
> unbound   2924 unbound   12u  IPv4  15468      0t0  TCP 127.0.0.1:8953
> (LISTEN)
> tdeio_ima 3906  stekru    8u  IPv4  19808      0t0  TCP
> 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED)
> dictd     4888   dictd   37u  IPv4  45627      0t0  TCP 127.0.0.1:2628
> (LISTEN)

>
> > If that is a desktop machine, you should have a dns server somewere
> > in the network.. It could be that you have no arp cache, and it his
> > requesting everytime..
>
> AIUI I have a ARP cache with one entry for the standard gateway of my
> ISP. See my original post. Is this normal or should there be more
> entries?
>
> > Having dynamic dns services also doesn't help
> > much to your security, since they are one of the major risks braking
> > into computers.. And you seems to have configured some dynamic dns
> > services..
>
> Are you saying running a local DNS resolver daemon like unbound is a
> security risk? And that the seemingly increased ARP traffic could be
> a symptom of this machine being hacked?


There is some misunderstanding: The ARP package has nothing to do with DNS. It basicly links MAC to IP - and you can do funny things with it. tcpdump just makes the name resolution for you, use "tcpdump -n" to go without it. e.g.:

# tcpdump -n
10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28
10:28:14.675980 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28

arp cache should only have as many entries as ather mac adresses are active in your part of the lan. If you are alone on your router, then it's just you routers mac in the cache.

nik

>
> Kind regards,
> Stefan
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>




--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...