On Thu, 2007-06-21 at 08:15 +0200, Manuel Arostegui Ramirez wrote: > El Jueves, 21 de Junio de 2007 03:34, Rick Sewill escribió: > > > > I suspect these ARP requests are caused by botnets, on the Internet, > > scanning IP address ranges for PCs to compromise. There is a steady > > bombardment of Microsoft Messenger Service, NetrSendMessage requests to > > UDP port 1026, coming to my IP address. Lucky for me, Fedora discards > > the message and no response is generated. The botnets do not give up. > > Maybe I'm not understanding what you mean there but....how can botnets make > ARP questions through the internet? > As far as I know ARP requests are only made in LANs and it's impossible for > its to pass a router and reach the Internet. > You are correct. ARP requests are used on a broadcast interface to discover the association between an IP address and a MAC address. ARP requests are not passed on by a router. Let me explain. First, I wish to tell what I am currently seeing on my internet connection. Next, I will guess, why I am seeing what I see. It is 3:10 a.m., my time. One would expect my connection to the cable company to be relatively quiet. I just ran wireshark for 41 seconds. I got 1871 ARP requests, 1870 were from the Cable company, and one was from a device with a Motorola (OID) MAC address. I also got 31 regular IP packets, of which 5 were TCP and 26 were UDP. Of the UDP packets. I originated one TCP packet. The other 4 came to me. Sixteen of the UDP packets were unicast to me, to my port 6881, which is weird. UDP port 6881 is a bittorrent port. I admit to seeding Fedora 7, but that was a few days ago. Iptables, by default, discards all packets I receive on port 6881, unless I explicitly open ports. The other ten UDP packets were DHCP offers, and DHCP acks, directed to the 255.255.255.255 broadcast address. The sender of all the DHCP packets, and the 1870 ARP requests, that I saw, had the same ethernet MAC source address. I did not see any NetrSendMessage during that 41 second interval. The NetrSendMessage messages are UDP packets destined to port 1026. I had seen the NetrSendMessage yesterday afternoon. I never have a Windows machine connected to that interface so there is no reason a packet specific to a Microsoft protocol should come to that interface. I am guessing botnets are sending these IP packets, on UDP port 6881, and UDP port 1026, to every IP address in a range of IP addresses. In the case of the cable companies, I believe they treat the cable like it is a broadcast interface. I believe they ARP for that IP address to get the MAC address for that machine. I get these ARP requests because they are broadcast to me and to everyone with whom I share the cable. I actually don't see the logic to cable companies doing this. Cable companies should know the MAC address associated with my IP address. Either the cable company assigned my IP address, in the case of a dynamic IP address, or the cable company statically configured my IP address, in the case of certain business accounts. I pay a flat rate which means the cable company does not need to know if my machine is on or off as far as billing is concerned. I am allowed a finite number of IP addresses, three, so the cable company has to know the number of devices connected to my cable modem. The telephone companies should do a better job. I do not believe the telephone companies treat their wire as a broadcast interface. I have not had the opportunity to hook a network sniffer up to a telephone company wire to see what they do. If the cable company is spewing forth all that traffic, without any prompting from botnets, and without any prompting from me, one might think the cable company software were in need of repair. > Cheers > > -- > Manuel Arostegui Ramirez. > > Electronic Mail is not secure, may not be read every day, and should not > be used for urgent or sensitive issues. >
Attachment:
signature.asc
Description: This is a digitally signed message part
