Re: [users] MAC -> IP?

To: MaD dUCK <madduck@madduck.net>
Cc: Sebastiaan <S.Breedveld@its.tudelft.nl>, debian-user@lists.debian.org
Subject: Re: [users] MAC -> IP?
From: Sebastiaan <S.Breedveld@ITS.TUDelft.NL>
Date: Mon, 18 Jun 2001 15:07:01 +0200 (METDST)
Message-id: <[🔎] Pine.HPP.3.95.1010618145409.7496C-100000@elektron.its.tudelft.nl>
In-reply-to: <20010618145149.A16429@fishbowl.madduck.net>

On Mon, 18 Jun 2001, MaD dUCK wrote:

> also sprach Sebastiaan (on Mon, 18 Jun 2001 02:45:35PM +0200):
> > The SRC is invalid, I only have 192.168.1.* network and a 212.127.*.* to
> > the internet (cable modem). I would like to know who is really doing this.
> > 
> > Does someone have nay idea what is going on? Is this some kind of
> > attack?
> 
> can you tell us more about your network - i.e. configuration and ip
> addresses?
Of course: The (firewall)server has two network interfaces: eth1 connects
to the local network, 192.168.1.*. It's own IP is 192.168.1.3 (hostname
aluqah). Connected to that network are two computers yet.

To the other interface, eth0, a COM21 cable modem is connected. The IP of
eth0 is 212.127.242.126, MAC=00:05:02:AE:72:35. The cable modem has MAC
00:a0:73:25:12:34.

One thing that you might need to know is that my cable company, or ISP,
misconfigured the ARP cache of their servers, so I am flooded with ARP
requests continiously but they claim that it is normal. When I run iptraf
I see about 2000 hosts within an hour, all from my cable modem network
(212.127.*.*). I only receive some data from them, but I do not send
something back (well, my computer).

I am running 2.4.6-pre3 with iptables. I installed a script that I found
this morning from:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/adsl4linux/ADSL4Linux/ADS
L4Linux/templates/firewall.iptables.devel?rev=HEAD&content-type=text/vnd
.viewcvs-markup

It works well, as it looks, but it is far to big to explain in detail what
it is doing: blocks ports, takes care of trojan attacks, opens serverices,
etc.

With arp -n I only see the macs of my local interfaces.

Thanks in advance,
Sebastiaan

piece of syslog:
Jun 18 15:05:47 aluqah kernel: UDP Dropped: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:c0:f0:19:b0:8e:08:00 SRC=192.168.0.2
DST=255.255.255.255 LEN=176 TOS=0x00 PREC=0x00 TTL=128 ID=2147 PROTO=UDP
SPT=1015 DPT=1015 LEN=156 
Jun 18 15:05:51 aluqah kernel: UDP Dropped: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:c0:f0:19:b0:8e:08:00 SRC=192.168.0.2
DST=255.255.255.255 LEN=176 TOS=0x00 PREC=0x00 TTL=128 ID=2149 PROTO=UDP
SPT=1015 DPT=1015 LEN=156 
Jun 18 15:05:51 aluqah kernel: UDP Dropped: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:10:b5:08:42:0d:08:00 SRC=212.127.128.183
DST=255.255.255.255 LEN=240 TOS=0x00 PREC=0x00 TTL=128 ID=52736 PROTO=UDP
SPT=2301 DPT=2301 LEN=220 
Jun 18 15:05:54 aluqah kernel: UDP Dropped: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:c0:f0:19:b0:8e:08:00 SRC=192.168.0.2
DST=255.255.255.255 LEN=176 TOS=0x00 PREC=0x00 TTL=128 ID=2151 PROTO=UDP
SPT=1015 DPT=1015 LEN=156

Reply to:

Prev by Date: Linux Portal page like yahoo
Next by Date: Processor HW
Previous by thread: Re: Linux Portal page like yahoo
Next by thread: Re: [users] MAC -> IP?
Index(es):
- Date
- Thread