On Thursday 21 June 2007 11:17:26 Rick Sewill wrote: > On Thu, 2007-06-21 at 08:15 +0200, Manuel Arostegui Ramirez wrote: > > El Jueves, 21 de Junio de 2007 03:34, Rick Sewill escribió: > > > I suspect these ARP requests are caused by botnets, on the Internet, > > > scanning IP address ranges for PCs to compromise. There is a steady > > > bombardment of Microsoft Messenger Service, NetrSendMessage requests to > > > UDP port 1026, coming to my IP address. Lucky for me, Fedora discards > > > the message and no response is generated. The botnets do not give up. > > > > Maybe I'm not understanding what you mean there but....how can botnets > > make ARP questions through the internet? > > As far as I know ARP requests are only made in LANs and it's impossible > > for its to pass a router and reach the Internet. > > You are correct. ARP requests are used on a broadcast interface to > discover the association between an IP address and a MAC address. ARP > requests are not passed on by a router. Let me explain. > > First, I wish to tell what I am currently seeing on my internet > connection. Next, I will guess, why I am seeing what I see. > > It is 3:10 a.m., my time. One would expect my connection to the cable > company to be relatively quiet. I just ran wireshark for 41 seconds. > I got 1871 ARP requests, 1870 were from the Cable company, and one was > from a device with a Motorola (OID) MAC address. > > I also got 31 regular IP packets, of which 5 were TCP and 26 were UDP. > Of the UDP packets. > > I originated one TCP packet. The other 4 came to me. > > Sixteen of the UDP packets were unicast to me, to my port 6881, which is > weird. UDP port 6881 is a bittorrent port. I admit to seeding Fedora > 7, but that was a few days ago. Iptables, by default, discards all > packets I receive on port 6881, unless I explicitly open ports. > > The other ten UDP packets were DHCP offers, and DHCP acks, directed to > the 255.255.255.255 broadcast address. > > The sender of all the DHCP packets, and the 1870 ARP requests, that I > saw, had the same ethernet MAC source address. > > I did not see any NetrSendMessage during that 41 second interval. The > NetrSendMessage messages are UDP packets destined to port 1026. I had > seen the NetrSendMessage yesterday afternoon. I never have a Windows > machine connected to that interface so there is no reason a packet > specific to a Microsoft protocol should come to that interface. > > I am guessing botnets are sending these IP packets, on UDP port 6881, > and UDP port 1026, to every IP address in a range of IP addresses. > > In the case of the cable companies, I believe they treat the cable like > it is a broadcast interface. I believe they ARP for that IP address to > get the MAC address for that machine. I get these ARP requests because > they are broadcast to me and to everyone with whom I share the cable. > > I actually don't see the logic to cable companies doing this. > > Cable companies should know the MAC address associated with my IP > address. Either the cable company assigned my IP address, in the case > of a dynamic IP address, or the cable company statically configured my > IP address, in the case of certain business accounts. I pay a flat rate > which means the cable company does not need to know if my machine is on > or off as far as billing is concerned. I am allowed a finite number of > IP addresses, three, so the cable company has to know the number of > devices connected to my cable modem. > > The telephone companies should do a better job. I do not believe the > telephone companies treat their wire as a broadcast interface. I have > not had the opportunity to hook a network sniffer up to a telephone > company wire to see what they do. > > If the cable company is spewing forth all that traffic, without any > prompting from botnets, and without any prompting from me, one might > think the cable company software were in need of repair. > Nice explanation, now it's much more clear :-) I forgot you were using a Cable connection, therefore all of the above is reasonable, since they treat all their users as a part of a huge LAN. I agree with you that that's not the best way to magane all their clients, specially if we think about security... It's the same in Spain, I was using a Cable connection (I will not give names) very common here and it was such a laugh if we talk about security... It was almost just a big LAN, no more...sad but true, though... On the other hand...can you complain about that to your Cable ISP? Cheers -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.
