:: Re: [DNG] how to investigate consta…
Top Pagina
Deze boodschap maakt deel uit van devolgende draad:
Mde volledige draad-boom gesorteerd op datum
M\mett op <-
MMs op ->
Delete this message
Reply to this message
Auteur: s
Datum:  
Aan: Stefan Krusche
CC: dng
Onderwerp: Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi Stefan,

> > first of all, your machine seems to be the dns server, or you have
> > static ips assigned?
>
> Yes, unbound DNS resolver is running on this machine. No static IPs.
>
You have a public dynamic IP, I assume.

So you are in the domain: 'dynamic.kabel-deutschland.de'
but by what I see, that domain is a /24 or not??
you:
FQDN: ip5b418cfe.dynamic.kabel-deutschland.de
IP: 91.65.138.120/24

Someone else:
FQDN: ip5b418c91.dynamic.kabel-deutschland.de
IP: 91.65.140.145 /24??

something strange, you have 2 diferent *public* networks in the same domain?

Another things..
Are you trying to have 2 machines conected with a foreign dynamic dns service, ex: like 'https://www.noip.com/free' ?

> $ sudo tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on net0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 09:25:00.272473 ARP, Request who-has
> ip5b418c91.dynamic.kabel-deutschland.de tell
> ip5b418cfe.dynamic.kabel-deutschland.de, length 46
>
who is 'ip5b418c91.dynamic.kabel-deutschland.de' ??
its other machine of yours?

do a :
arping 91.65.140.145
check the mac address, compare with any one of yours..

> $ nslookup ip5b418c91.dynamic.kabel-deutschland.de
> Address: 91.65.140.145

its a diferent network than yours but they have exactly the same domain..weird ??
what is the dns server that responds to that request?
should be: '83.169.184.33'

> AIUI I have a ARP cache with one entry for the standard gateway of my
> ISP. See my original post. Is this normal or should there be more
> entries?
>
any ip address of your network should be there( 192.168.19.2,192.168.19.3 ?? ), but if none contacted then its ok..


> Are you saying running a local DNS resolver daemon like unbound is a
> security risk? And that the seemingly increased ARP traffic could be
> a symptom of this machine being hacked?
>
No, I don't even know what is 'unbound'..

But if you are using a external service, depending of the type of external dynamic dns services,
yes, I already was some 15 years ago, using 'https://www.noip.com/free',
I already saw tons of cases like mine, out there( they don't offer you a dynamic dns service for free... free for them, means your information is selled in the black market...they need to make money.. no one offers free services.. )..

But doesn't mean you are the case here..( I don't even know what is the domain 'dynamic.kabel-deutschland.de'.. )

Your machine is acting as a DNS cache server for the network 192.168.19.0/24, for what it seems..

--
Best Regards,
tux <tuxd3v@???>
Deze boodschap werd naar devolgende mailinglijsten gestuurd:
dng
Mailing Lijst Info | Nabije Berichten		<-Re: [DNG] Security problemRe: [DNG] Security problem->

Donate to Dyne.org

dyne.org open discussions
beheerd door dyne.org hackers		Lurker (versie 2.3)