LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2005, 12:51 PM   #1
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Rep: Reputation: 15
'funny' dns & arp traffic


I am on the shaw @ home network. I notice a LOT of traffic (100 pckts/sec) that are arp related and like the following:
10:44:11.510094 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32790: 15558 NXDomain* 0/0/0 (43)
10:44:11.519472 IP S0106000b6a7905f1.vs.shawcable.net.32790 > 64.59.144.16.domain: 28078+ PTR? 226.93.86.24.in-addr.arpa. (43)
10:44:11.526119 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32790: 28078 1/0/0 (91)
10:44:11.529535 IP S0106000b6a7905f1.vs.shawcable.net.32790 > 64.59.144.16.domain: 44936+ PTR? 50.67.86.24.in-addr.arpa. (42)
10:44:11.538923 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32790: 44936 1/0/0 PTR[|domain]
10:44:11.539398 IP S0106000b6a7905f1.vs.shawcable.net.32790 > 64.59.144.16.domain: 64508+ PTR? 99.89.86.24.in-addr.arpa. (42)
10:44:11.558761 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32790: 64508 1/0/0 PTR[|domain]
10:44:11.559169 IP S0106000b6a7905f1.vs.shawcable.net.32790 > 64.59.144.16.domain: 19264+ PTR? 118.71.86.24.in-addr.arpa. (43

which SEEMS like shaw's nameserver asking my system for info about addresses. Is that what is happening? Why is my system getting asked by shaw's nameserver about other IP addresses? Is there some kind of current exploit that uses arp traffic like LOKI uses icmp traffic to conceal data transmissions. 100 packets/second seems like an awful lot of arping going on!
On the other hand, I am far from a TCP/IP protocol suite guru, so as far as I know this is normal. One thing I notice is that all the IP addresses mentioned in these queries have the same first 2 octets --- only the last 2 octets vary.
 
Old 08-16-2005, 02:04 PM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Maybe I'm wrong, but all I see is DNS traffic... The .arpa domain is another thing and is used to find the name for an IP. For example: 226.93.86.24.in-addr.arpa. is used by DNS to return the name of 24.86.93.226 (yes, reversed).

Maybe you have a sniffer running that tries to lookup the addresses it sees. A common trick to find a sniffer listening on a promiscous interface is to ftp an IP and see the output of tcpdump in numeric mode (use the -n option) to avoid a DNS query. Use ftp.kernel.org's: 204.152.191.37 or 204.152.191.5
If you see a query for 37.191.152.204.in-addr.arpa then it would either be a sniffer, or your firewall is making these inverse queries for logging purposes.

Sniffers may run without promiscous settings too, so you must check each machine with ifconfig (possibly from a live-CD to avoid a possibly troyaned binary/library/kernel)

Last edited by primo; 08-16-2005 at 02:06 PM.
 
Old 08-16-2005, 04:14 PM   #3
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
You're right, it is DNS traffic, what I meant was --- 'why is all this dns traffic directed at my IP?' my box is a standalone system connected to a cable modem, and yet there's all this DNS query traffic going to it from shaw's (my provider) nameservers even when I'm not browsing, and I don't have any kind of servers running and i don't even have any IP connections related to web-browsing. If I want to learn the name associated with an IP, for instance when i go web-browsing or whatever, then I can understand that my system would ask shaw's nameserver for that info. But this is happening constantly, many times every second, when I'm not browsing, or FTPing or doing anything, and yet there is all this traffic.
I'm not sure I understand this sniffer thing. You mean I might have a trojan process running name-server lookups? Can you tell from what I've captured what is happenning, exactly? Is that ameserver asking my system which web-name is associated with a certain numeric IP? Or is my system asking the nameserver for that info? Or what exactly is all this traffic that's directed at my system. And this is just the tcp stuf, when referring to udp, wow, then we're talking ARPs at the rate of a hundred a second, seriously!
14:09:21.309124 arp who-has 24.86.80.104 tell 24.86.80.1
14:09:21.309348 arp who-has 24.86.80.106 tell 24.86.80.1
14:09:21.309793 arp who-has 24.86.80.105 tell 24.86.80.1
14:09:21.310009 arp who-has 24.86.80.107 tell 24.86.80.1
14:09:21.310440 arp who-has 24.86.80.109 tell 24.86.80.1
14:09:21.310668 arp who-has 24.86.80.103 tell 24.86.80.1
14:09:21.312847 arp who-has 24.86.80.111 tell 24.86.80.1
14:09:21.313060 arp who-has 24.86.80.113 tell 24.86.80.1
14:09:21.313688 arp who-has 24.86.80.112 tell 24.86.80.1
14:09:21.314123 arp who-has 24.86.80.114 tell 24.86.80.1
14:09:21.314363 arp who-has 24.86.80.117 tell 24.86.80.1
Those are the arps. Below is some more of the mystery DNS-type traffic --- what the heck is all this about? I remember running a system attached to the shaw@home internet servicxe a few years ago and there was nothing like all of this!
14:13:51.792442 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 32740 1/0/0 (91)
14:13:51.806190 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 21115+ PTR? 92.70.86.24.in-addr.arpa. (42)
14:13:51.818763 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 21115 1/0/0 PTR[|domain]
14:13:51.877272 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 4114+ PTR? 96.71.86.24.in-addr.arpa. (42)
14:13:51.891761 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 4114 1/0/0 PTR[|domain]
14:13:51.892152 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 53868+ PTR? 58.77.86.24.in-addr.arpa. (42)
14:13:51.900524 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 53868 1/0/0 PTR[|domain]
14:13:51.900985 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 39606+ PTR? 184.80.86.24.in-addr.arpa. (43)
14:13:51.908279 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 39606 NXDomain* 0/0/0 (43)
14:13:51.908683 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 30371+ PTR? 73.84.86.24.in-addr.arpa. (42)
14:13:51.916270 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 30371 1/0/0 PTR[|domain]
14:13:51.916605 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 50118+ PTR? 136.84.86.24.in-addr.arpa. (43)
14:13:51.947270 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 50118 1/0/0 (91)
14:13:51.947716 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 5701+ PTR? 29.65.86.24.in-addr.arpa. (42)
14:13:51.983340 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 5701 1/0/0 PTR[|domain]
14:13:51.983795 IP S0106000b6a7905f1.vs.shawcable.net.32806 > 64.59.144.16.domain: 61857+ PTR? 255.89.86.24.in-addr.arpa. (43)
14:13:52.010791 IP 64.59.144.16.domain > S0106000b6a7905f1.vs.shawcable.net.32806: 61857 NXDomain* 0/0/0 (43)
 
Old 08-16-2005, 06:58 PM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
It could be a problem with your ISP.

Try booting from a live-CD and run tcpdump again. If you see the same traffic then you must contact your ISP.

A sniffer is a malware that captures the network traffic. Basicly, they try to capture passwords and log this info to a file along with the server's IP and port. If they resolve these IP's, then they unconsciously generate DNS traffic.

I don't think this could be the problem now, because there's weird ARP traffic involved.
Is your IP in the same subnet as the IP's being scanned?
Perhaps you're seeing packets destined to another machines and it could be a security problem because you could impersonate them
 
Old 08-17-2005, 06:17 PM   #5
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
I just compiled & ran snort (the ids app) and among other things, it says I'm getting this:

[**] DNS SPOOF query response with TTL of 1 min. and no authority [**]
08/17-11:38:54.954171 64.59.144.16:53 -> sanitized:32870
UDP TTL:62 TOS:0x0 ID:15971 IpLen:20 DgmLen:83 DF
Len: 55
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] DNS SPOOF query response with TTL of 1 min. and no authority [**]
08/17-11:50:10.446158 64.59.144.16:53 -> sanitized:32870
UDP TTL:62 TOS:0x0 ID:48893 IpLen:20 DgmLen:83 DF
Len: 55
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I know, "RTFM", but before I go spend the next couple days figuring this out, could you give me a super-quick, very basic idea as to what good it would do anyone to spoof a dns query response from my system?
 
Old 08-17-2005, 08:36 PM   #6
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
It could be (at least) one of these things:

1- With DNS spoofing / DNS cache poisoning an attacker may impersonate any internet server's name with any IP address to redirect traffic to it. The attacker could steal your data by spoofing the web look and/or performing man-in-the-middle. If your banking site uses TLS/SSL and a certificate is stored, then the risk is minimized. Use iptables(8) to accept only "valid" DNS replies that match your DNS queries via connection tracking. Sometimes you'll see late replies so you could configure a timeout in /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout (default is 30 seconds). I'm currently running a caching-nameserver (bind). It talks directly to the root nameservers and gives me speed (because of caching), no dependance on my ISP and some privacy. But anyway the DNS protocol is esentially insecure. If some machines you access frequently have the same IP, you could add them to /etc/hosts and make sure your /etc/host.conf says:
Quote:
order hosts,bind
multi on
nospoof on
spoofalert on
and /etc/nsswitch.conf has the following line:
Quote:
hosts: files dns
2- ARP cache poisoning is the same concept at the link-layer level. An attacker could impersonate any machine on your Ethernet segment to redirect traffic (even your ISP's nameserver in some cases) to another machine with a different MAC address.

3- A false positive from snort because your ISP's router is bad configured. The TTL is 62 (an usual default is 64) so a machine 2 hops away could be the problem. This TTL could be spoofed, though.


Try talking to them to see if it goes away. Tcpdump(1) has some more options to tell you more info. Use -v
 
Old 08-27-2005, 09:50 PM   #7
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
thanks guys.

Thanks, Pedro. I put those lines in my DNS config files, and when I'm all done with this (when I know the full meaning of each line of output from tcpdump set to grep for DNS stuff) I'll probably end up with a DNS system configured similarly to how you describes yours as being configured. I hard-coded red-hat's domain into the DNS hosts file to secure (somewhat) my dnloading of updates, etc.
Clearly, to fully understand all of the implications involved (with the config changes) I'll need to do some more homework on DNS (and iptables) but that's OK, that's why I got involved with Linux to begin with, because I like taking things apart and figuring them out and microsoft's products are designed to stop that from happening.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange ARP behavior : A linux server responds to all ARP requests Hdvd21 Linux - Networking 4 10-24-2013 05:02 AM
Network traffic from ARP klnasveschuk Linux - Networking 2 04-28-2005 03:22 PM
Shutting down 9.3 & Funny colors jess1975 SUSE / openSUSE 7 04-27-2005 09:28 AM
Disabling ARP probes after receiving an ARP request AltecLansingMan Linux - Networking 1 03-30-2004 01:25 PM
How to create an proxyarp entry in arp table by using arp command? himalayas Linux - Networking 0 06-04-2003 04:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration