[linux] [Fwd: Flood hack ?? podivne spravanie // arp who-has 500x/1sekunda]

Jan Kunder jan.kunder na gmail.com
Úterý Leden 3 23:15:58 CET 2006


Ahoj.

Doplnim:
Chcel by som sa opytat, nakolko je toto spravanie normalne (chello 
light, kablovka):

2.1.2006 18:46:
(z mojej strany nejde ziaden up/down traffic s vynmikou obcasneho/nych 
ntp requestov)
summar za 10 sekund:599
moje: 266
chello085216160001: 308
chello085216160001.chello.sk has address 85.216.160.1
chello085216163174: 16
chello217023241193: 6
chello085216165138: 2


$ tcpdump -v -i eth0 | igrep -v mojaIP | igrep -v chello085216160001 | 
igrep -v chello085216163174 | igrep -v chello217023241193 (snad este par 
dalsich)    NIC==mam svaty pokoj

JK



-------- Original Message --------
Subject: Flood hack ?? podivne spravanie // arp who-has 500x/1sekunda
Date: Tue, 03 Jan 2006 23:14:02 +0100
From: Jan Kunder <jan.kunder na gmail.com>
Organization: Jan Kunder
To: linux na lists.linux.sk

Ahoj

Chcel by som sa spytat na IMHO abnormalne spravanie sa v sieti.
Vsimol som si to tak, ze sietovka (citaj dioda ETHERNET) na
chello-cable-modem stale blikala!

Za 10 sekund pozorovania (tcpdump), ked nebol ziaden traffic/requesty z
mojej strany som vyzistil toto:
nonstop opakujuce sa:
18:31:31.294356 arp who-has chello085216166124.chello.sk tell
chello085216160001.chello.sk
18:31:31.301249 arp who-has chello085216165170.chello.sk tell
chello085216160001.chello.sk
18:31:31.313380 arp who-has chello085216164224.chello.sk tell
chello085216163174.chello.sk
18:31:31.313660 arp who-has chello085216165086.chello.sk tell
chello085216163174.chello.sk

Cely 10sekundovy vypis (64kb):
http://tmp.kunder.sk/chello-arp_dhcp10-nonMY

Iny vypis trvajuci 2 minuty o hodinu neskor (700KB):
http://tmp.kunder.sk/tcp+udp-dump-2006-01-02-nonMY
a detto, ale Very Verbose (-vv) option:
http://tmp.kunder.sk/dump_VeryVerbose-2006-01-02-nonMY



Podozrive IPcky (pocet roznych, zvacsa arp-who) requestov:
(podotykam, ze uvedene pocty su za 10 sekund!!)
chello085216160001: 308
chello085216160001.chello.sk has address 85.216.160.1

chello085216163174: 16
chello217023241193: 6
chello085216165138: 2


Okrem toho zaujimave by pre vas mohlo byt (REQUESTy v ramci rovnakej
IPcky!):
19:38:29.885509 arp who-has chello085216166077.chello.sk tell
chello085216166077.chello.sk
19:38:29.923662 arp who-has chello085216166077.chello.sk tell
chello085216166077.chello.sk
19:38:30.924060 arp who-has chello085216166077.chello.sk tell
chello085216166077.chello.sk
19:41:47.585068 arp who-has 85.216.164.0 tell 85.216.164.0
19:41:48.512827 arp who-has 85.216.164.0 tell 85.216.164.0
19:42:53.681794 arp who-has chello217023241211.chello.sk tell
chello217023241211.chello.sk

Vdaka


-- 
Jan Kunder
jan.kunderHATESPAMgmail.com


-- 
Jan Kunder
jan.kunderHATESPAMgmail.com



Další informace o konferenci linux