[linux] Flood hack ?? podivne spravanie // arp who-has 500x/1sekunda

Jan Kunder jan.kunder na gmail.com
Úterý Leden 3 23:14:02 CET 2006


Ahoj

Chcel by som sa spytat na IMHO abnormalne spravanie sa v sieti.
Vsimol som si to tak, ze sietovka (citaj dioda ETHERNET) na 
chello-cable-modem stale blikala!

Za 10 sekund pozorovania (tcpdump), ked nebol ziaden traffic/requesty z 
mojej strany som vyzistil toto:
nonstop opakujuce sa:
18:31:31.294356 arp who-has chello085216166124.chello.sk tell 
chello085216160001.chello.sk
18:31:31.301249 arp who-has chello085216165170.chello.sk tell 
chello085216160001.chello.sk
18:31:31.313380 arp who-has chello085216164224.chello.sk tell 
chello085216163174.chello.sk
18:31:31.313660 arp who-has chello085216165086.chello.sk tell 
chello085216163174.chello.sk

Cely 10sekundovy vypis (64kb):
http://tmp.kunder.sk/chello-arp_dhcp10-nonMY

Iny vypis trvajuci 2 minuty o hodinu neskor (700KB):
http://tmp.kunder.sk/tcp+udp-dump-2006-01-02-nonMY
a detto, ale Very Verbose (-vv) option:
http://tmp.kunder.sk/dump_VeryVerbose-2006-01-02-nonMY



Podozrive IPcky (pocet roznych, zvacsa arp-who) requestov:
(podotykam, ze uvedene pocty su za 10 sekund!!)
chello085216160001: 308
chello085216160001.chello.sk has address 85.216.160.1

chello085216163174: 16
chello217023241193: 6
chello085216165138: 2


Okrem toho zaujimave by pre vas mohlo byt (REQUESTy v ramci rovnakej 
IPcky!):
19:38:29.885509 arp who-has chello085216166077.chello.sk tell 
chello085216166077.chello.sk
19:38:29.923662 arp who-has chello085216166077.chello.sk tell 
chello085216166077.chello.sk
19:38:30.924060 arp who-has chello085216166077.chello.sk tell 
chello085216166077.chello.sk
19:41:47.585068 arp who-has 85.216.164.0 tell 85.216.164.0
19:41:48.512827 arp who-has 85.216.164.0 tell 85.216.164.0
19:42:53.681794 arp who-has chello217023241211.chello.sk tell 
chello217023241211.chello.sk

Vdaka


-- 
Jan Kunder
jan.kunderHATESPAMgmail.com



Další informace o konferenci linux