| View previous topic :: View next topic |
| Author |
Message |
jlg
Guru
Joined: 31 May 2002
Posts: 360
Location: Montreal, CANADA
|
 Posted: Thu Aug 07, 2003 3:53 pm Post subject: 10 ARP's per seconds |
 |
|
Here is the situation!
Yesterday the PC light on my cable modem started flashing like crazy. Usually its just stays on with no flashing. The light for data is off. Unless I start downloading stuff which is normal. So I decided to do some sniffing with ethereal to see what was going on.
This is a sample of the output:
| Code: |
NO. Time Source Destination Protocol Info
1 0.0000 modemcable Broadcast ARP who has 24.203.73.20? Tell 24.203.73.1
2 0.0722 modemcable Broadcast ARP who has 24.202.160.160? Tell 24.202.160.1
...
|
like I said! I get about 10 ARP's per second. Now I know that ARP is used to map ip addresses to mac addresses but why the hell am I getting all those? My internet provider has a misconfigured gateway? switch? other possible reasons? |
|
| Back to top |
|
 |
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Thu Aug 07, 2003 3:57 pm Post subject: |
|
|
| When a device ARPs for a MAC address, it sends an Ethernet frame to the broadcast Ethernet address of FFFF.FFFF.FFFF. Switches take that frame and forward it out all ports. It sounds like your ISP doesn't have their broadcast domains setup properly or they may have a misbehaving switch. |
|
| Back to top |
|
|
JohanH
n00b
Joined: 12 Apr 2003
Posts: 27
Location: Fishers, IN
|
| Posted: Sat Sep 06, 2003 2:19 am Post subject: |
|
|
I just started looking into my network traffic (saw a reference here to using tcpdump, tcpstat and gnuplot to generate graphs of the packets coming to my network card, which I thought sounded neat). Anyhow, the results of my first tests show that I receive about 80 ARP packets per second  (I'm also on a cable modem). The tcpdu,p output seems to look like jlg's:
| Code: |
20:56:11.020314 arp who-has dhcp16617062.indy.rr.com tell dhcp16616001.indy.rr.com
20:56:11.022266 arp who-has dhcp16617195.indy.rr.com tell dhcp16616001.indy.rr.com
|
Interestingly, iptables is configured with an INPUT DROP policy, and will only let in ESTABLISHED and RELATED packets:
| Code: |
Chain INPUT (policy DROP 1629 packets, 252K bytes)
pkts bytes target prot opt in out source destination
411K 594M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
41 3564 ACCEPT all -- lo any anywhere anywhere
1629 252K LOG all -- any any anywhere anywhere LOG level warning prefix `FIREWALL:INPUT '
|
Looking at my firewall logs, I see no ARP packets being blocked, but a large amount of ICMP echo dropped packets. Conversely, the tcpdump plot showed hardly any ICMP packets.
Not being a network guru, I struggle somewhat in making sense of all this. Does the fact that I don't have ARP tables support in my kernel mean that any ARP packet will be let through the firewall, the default DROP policy notwithstanding? [...] Would adding ARP tables support to the kernel make iptables drop the ARP packets?
Sorry about all the questions, but I'm obviously anxious to get a better understanding of why my lowly home PC would attract all this traffic. BTW, my cable provider is Time Warner Bright House (was Road Runner). jlg, do they operate in Montreal too, or do you have a different provider?
EDIT: No, adding ARP tables support to the kernel made no difference, I still see all the ARP packets.
EDIT 2: Found this, so it seems that I'm not alone in seeing a lot of ARP traffic in Time Warner's cable network. Also found this, which seems to indicate that iptables does not support filtering ARP packets (odd, since my gentoo-sources-2.4.20-r6 kernel at least has that option), but in any event blocking ARP might not be such a good idea in any event. Has anyone succeeded in having iptables block ARP without adverse effects?
EDIT 3: Further searching and own experiments seem to indicate that tcpdump sees the traffic before it is filtered by iptables, so I snipped that question from my original post. The ICMP just got drowned out by the ARPs when I looked at it 
Last edited by JohanH on Sat Sep 06, 2003 4:17 am; edited 1 time in total |
|
| Back to top |
|
|
jlg
Guru
Joined: 31 May 2002
Posts: 360
Location: Montreal, CANADA
|
| Posted: Sat Sep 06, 2003 3:09 am Post subject: |
|
|
not same provider! my provider here is videotron!
I'm thinking all this madness is coming from all those infected windows machines  |
|
| Back to top |
|
|
JohanH
n00b
Joined: 12 Apr 2003
Posts: 27
Location: Fishers, IN
|
| Posted: Sat Sep 06, 2003 3:42 am Post subject: |
|
|
| jlg wrote: | | I'm thinking all this madness is coming from all those infected windows machines |
I thought all the ICMP echos were from Windows machines with Welchia/Nachi. But the ARP traffic? Perhaps all the ICMP has triggered some strange behavior in a switch somewhere (as per devon's hypothesis)?
Do you know if tcpdump (or ethereal in your case) gets a look at the traffic before or after it's been filtered by iptables? I'd sure like to get those pretty graphs in order, but there is not much point if all the ARP's make everything else basically flatline. If not, I'll have to figure out how to use a logarithmic scale in gnuplot... |
|
| Back to top |
|
|
ocbMaurice
Tux's lil' helper
Joined: 14 Feb 2003
Posts: 90
Location: Switzerland
|
| Posted: Sat Sep 06, 2003 1:13 pm Post subject: |
|
|
I do have these ARP requests too (I'm in Switzerland and have cable). But IMO the cablemodem is really a bridge and not a modem. Means that it is absolutely normal that you recieve these ARPs. You can check this if you look at the routes you have (simply type "route -n"). Mine shows something like :
dest : 143.218.128.0 / mask : 255.255.248.0
default gateway : 143.218.128.1
So this really tells me that I can directly speak to all IPs from 143.218.128.1 to 143.218.135.255. Directly means, that I do not go though any gateway/router; or differently said, I speak to the peer directly though ethernet/MAC-addresses. So it really seems that those ARPs are ok !
Maurice
ps. of course, some viruses (like nimda) will mostly scan the same subnet as it's victim is in. So if any other customer of your ISP has such a virus, the chance is high that you'll see arps and other traffic from him. |
|
| Back to top |
|
|
JohanH
n00b
Joined: 12 Apr 2003
Posts: 27
Location: Fishers, IN
|
| Posted: Sat Sep 06, 2003 2:39 pm Post subject: |
|
|
OK, thanks for the info, ocbMaurice!
route -n gives this output for me (for eth0):
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
65.26.180.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 65.26.180.1 0.0.0.0 UG 0 0 0 eth0
|
My (entirely amateurish) reading of this (after reading man route) is that I have first a route defined from my box to the cable modem, and then one from the cable modem to the ISP's gateway at 65.26.180.1, correct? As you say, and I also read about it somewhere else, having this kind of ARP traffic is normal, but I'm nevertheless still puzzled why the gateway would incessantly have to ask who has which IP address. Wouldn't the provider's DHCP server already know this? Or do malware-affected peers on my subnet spew out these broadcasts, even though they typically say 'tell the gateway who has a particular IP address'? |
|
| Back to top |
|
|
ocbMaurice
Tux's lil' helper
Joined: 14 Feb 2003
Posts: 90
Location: Switzerland
|
| Posted: Sat Sep 06, 2003 3:23 pm Post subject: |
|
|
You seem to mix gateway and subnet. You are part of the subnet 65.26.180.0/24. Phisically all those Computers in this subnet can talk to each other like they were connected through a hub or a switch (layer 1/2 in the OSI model). That's why the CableModem is a bridge and not a real modem.
All other traffic that is not going to an IP in this subnet has to be routed into the internet. This is done by the gateway (normally every subnet has at least one gateway).
Every packet you send out will look up which route it has to take. Packets that should reach a target within the subnet can simply be sent over ethernet (via MAC adresses). All other packets have to be sent over the gateway (you have to be able to reach a gateway via MAC address). I know, it isn't that easy topic. When I think about ARP-tables and the like; there is a lot of room for possible security problems. I'm sure you'll find a lot more information on google.
Maurice
ps. a bridge is something very special and not often seen. Basically you can reach the CM via it's MAC address on the Ethernet side (the CM has also another MAC on the coax side). The CM also has no IP adress itself. So for Linux the CM actually doesn't exist. All is done transparently and the result looks like all customers of your ISP would have been directly connected to a big hub though standard network cables. So the CM really just "bridges" the Network cable ...   |
|
| Back to top |
|
|
JohanH
n00b
Joined: 12 Apr 2003
Posts: 27
Location: Fishers, IN
|
| Posted: Sat Sep 06, 2003 4:01 pm Post subject: |
|
|
Thanks for the explanation, ocbMaurice! I guess my understanding of the setup was that all computers in my subnet were able to communicate with each other, and otherwise traffic would go the gateway, I just couldn't figure out the CM's role in the equation (and the route -n output didn't make much sense to me). In any event, I don't have any influence over the traffic that reaches my CM, I just wanted to ensure that I wasn't letting anything potentially malicious into my PC. That, and much like jlg describes, my activity light on the CM is lighting up a lot more than earlier over the last few weeks. As long as the volume isn't enough to hog all my bandwidth I guess it's not an issue though...
In any event, I'll google some more. If nothing else, it's certainly interesting to see all the stuff that travels through the network cable! |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Sun Sep 07, 2003 10:05 pm Post subject: |
|
|
| JohanH wrote: | | Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
65.26.180.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 65.26.180.1 0.0.0.0 UG 0 0 0 eth0 |
|
| ocbMaurice wrote: | | You seem to mix gateway and subnet. You are part of the subnet 65.26.180.0/24. |
Just to clarify, 255.255.254.0 = /23. Or two /24 networks. I am sure it is a simple oversight ($DEITY knows I do it), but I wanted to correct this for future generations of Gentoo-users. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
