Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-16-2005, 12:51 PM   #1
Registered: Jul 2005
Posts: 50

Rep: Reputation: 15
'funny' dns & arp traffic

I am on the shaw @ home network. I notice a LOT of traffic (100 pckts/sec) that are arp related and like the following:
10:44:11.510094 IP > 15558 NXDomain* 0/0/0 (43)
10:44:11.519472 IP > 28078+ PTR? (43)
10:44:11.526119 IP > 28078 1/0/0 (91)
10:44:11.529535 IP > 44936+ PTR? (42)
10:44:11.538923 IP > 44936 1/0/0 PTR[|domain]
10:44:11.539398 IP > 64508+ PTR? (42)
10:44:11.558761 IP > 64508 1/0/0 PTR[|domain]
10:44:11.559169 IP > 19264+ PTR? (43

which SEEMS like shaw's nameserver asking my system for info about addresses. Is that what is happening? Why is my system getting asked by shaw's nameserver about other IP addresses? Is there some kind of current exploit that uses arp traffic like LOKI uses icmp traffic to conceal data transmissions. 100 packets/second seems like an awful lot of arping going on!
On the other hand, I am far from a TCP/IP protocol suite guru, so as far as I know this is normal. One thing I notice is that all the IP addresses mentioned in these queries have the same first 2 octets --- only the last 2 octets vary.
Old 08-16-2005, 02:04 PM   #2
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Maybe I'm wrong, but all I see is DNS traffic... The .arpa domain is another thing and is used to find the name for an IP. For example: is used by DNS to return the name of (yes, reversed).

Maybe you have a sniffer running that tries to lookup the addresses it sees. A common trick to find a sniffer listening on a promiscous interface is to ftp an IP and see the output of tcpdump in numeric mode (use the -n option) to avoid a DNS query. Use's: or
If you see a query for then it would either be a sniffer, or your firewall is making these inverse queries for logging purposes.

Sniffers may run without promiscous settings too, so you must check each machine with ifconfig (possibly from a live-CD to avoid a possibly troyaned binary/library/kernel)

Last edited by primo; 08-16-2005 at 02:06 PM.
Old 08-16-2005, 04:14 PM   #3
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
You're right, it is DNS traffic, what I meant was --- 'why is all this dns traffic directed at my IP?' my box is a standalone system connected to a cable modem, and yet there's all this DNS query traffic going to it from shaw's (my provider) nameservers even when I'm not browsing, and I don't have any kind of servers running and i don't even have any IP connections related to web-browsing. If I want to learn the name associated with an IP, for instance when i go web-browsing or whatever, then I can understand that my system would ask shaw's nameserver for that info. But this is happening constantly, many times every second, when I'm not browsing, or FTPing or doing anything, and yet there is all this traffic.
I'm not sure I understand this sniffer thing. You mean I might have a trojan process running name-server lookups? Can you tell from what I've captured what is happenning, exactly? Is that ameserver asking my system which web-name is associated with a certain numeric IP? Or is my system asking the nameserver for that info? Or what exactly is all this traffic that's directed at my system. And this is just the tcp stuf, when referring to udp, wow, then we're talking ARPs at the rate of a hundred a second, seriously!
14:09:21.309124 arp who-has tell
14:09:21.309348 arp who-has tell
14:09:21.309793 arp who-has tell
14:09:21.310009 arp who-has tell
14:09:21.310440 arp who-has tell
14:09:21.310668 arp who-has tell
14:09:21.312847 arp who-has tell
14:09:21.313060 arp who-has tell
14:09:21.313688 arp who-has tell
14:09:21.314123 arp who-has tell
14:09:21.314363 arp who-has tell
Those are the arps. Below is some more of the mystery DNS-type traffic --- what the heck is all this about? I remember running a system attached to the shaw@home internet servicxe a few years ago and there was nothing like all of this!
14:13:51.792442 IP > 32740 1/0/0 (91)
14:13:51.806190 IP > 21115+ PTR? (42)
14:13:51.818763 IP > 21115 1/0/0 PTR[|domain]
14:13:51.877272 IP > 4114+ PTR? (42)
14:13:51.891761 IP > 4114 1/0/0 PTR[|domain]
14:13:51.892152 IP > 53868+ PTR? (42)
14:13:51.900524 IP > 53868 1/0/0 PTR[|domain]
14:13:51.900985 IP > 39606+ PTR? (43)
14:13:51.908279 IP > 39606 NXDomain* 0/0/0 (43)
14:13:51.908683 IP > 30371+ PTR? (42)
14:13:51.916270 IP > 30371 1/0/0 PTR[|domain]
14:13:51.916605 IP > 50118+ PTR? (43)
14:13:51.947270 IP > 50118 1/0/0 (91)
14:13:51.947716 IP > 5701+ PTR? (42)
14:13:51.983340 IP > 5701 1/0/0 PTR[|domain]
14:13:51.983795 IP > 61857+ PTR? (43)
14:13:52.010791 IP > 61857 NXDomain* 0/0/0 (43)
Old 08-16-2005, 06:58 PM   #4
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
It could be a problem with your ISP.

Try booting from a live-CD and run tcpdump again. If you see the same traffic then you must contact your ISP.

A sniffer is a malware that captures the network traffic. Basicly, they try to capture passwords and log this info to a file along with the server's IP and port. If they resolve these IP's, then they unconsciously generate DNS traffic.

I don't think this could be the problem now, because there's weird ARP traffic involved.
Is your IP in the same subnet as the IP's being scanned?
Perhaps you're seeing packets destined to another machines and it could be a security problem because you could impersonate them
Old 08-17-2005, 06:17 PM   #5
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
I just compiled & ran snort (the ids app) and among other things, it says I'm getting this:

[**] DNS SPOOF query response with TTL of 1 min. and no authority [**]
08/17-11:38:54.954171 -> sanitized:32870
UDP TTL:62 TOS:0x0 ID:15971 IpLen:20 DgmLen:83 DF
Len: 55

[**] DNS SPOOF query response with TTL of 1 min. and no authority [**]
08/17-11:50:10.446158 -> sanitized:32870
UDP TTL:62 TOS:0x0 ID:48893 IpLen:20 DgmLen:83 DF
Len: 55

I know, "RTFM", but before I go spend the next couple days figuring this out, could you give me a super-quick, very basic idea as to what good it would do anyone to spoof a dns query response from my system?
Old 08-17-2005, 08:36 PM   #6
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
It could be (at least) one of these things:

1- With DNS spoofing / DNS cache poisoning an attacker may impersonate any internet server's name with any IP address to redirect traffic to it. The attacker could steal your data by spoofing the web look and/or performing man-in-the-middle. If your banking site uses TLS/SSL and a certificate is stored, then the risk is minimized. Use iptables(8) to accept only "valid" DNS replies that match your DNS queries via connection tracking. Sometimes you'll see late replies so you could configure a timeout in /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout (default is 30 seconds). I'm currently running a caching-nameserver (bind). It talks directly to the root nameservers and gives me speed (because of caching), no dependance on my ISP and some privacy. But anyway the DNS protocol is esentially insecure. If some machines you access frequently have the same IP, you could add them to /etc/hosts and make sure your /etc/host.conf says:
order hosts,bind
multi on
nospoof on
spoofalert on
and /etc/nsswitch.conf has the following line:
hosts: files dns
2- ARP cache poisoning is the same concept at the link-layer level. An attacker could impersonate any machine on your Ethernet segment to redirect traffic (even your ISP's nameserver in some cases) to another machine with a different MAC address.

3- A false positive from snort because your ISP's router is bad configured. The TTL is 62 (an usual default is 64) so a machine 2 hops away could be the problem. This TTL could be spoofed, though.

Try talking to them to see if it goes away. Tcpdump(1) has some more options to tell you more info. Use -v
Old 08-27-2005, 09:50 PM   #7
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
thanks guys.

Thanks, Pedro. I put those lines in my DNS config files, and when I'm all done with this (when I know the full meaning of each line of output from tcpdump set to grep for DNS stuff) I'll probably end up with a DNS system configured similarly to how you describes yours as being configured. I hard-coded red-hat's domain into the DNS hosts file to secure (somewhat) my dnloading of updates, etc.
Clearly, to fully understand all of the implications involved (with the config changes) I'll need to do some more homework on DNS (and iptables) but that's OK, that's why I got involved with Linux to begin with, because I like taking things apart and figuring them out and microsoft's products are designed to stop that from happening.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange ARP behavior : A linux server responds to all ARP requests Hdvd21 Linux - Networking 4 10-24-2013 05:02 AM
Network traffic from ARP klnasveschuk Linux - Networking 2 04-28-2005 03:22 PM
Shutting down 9.3 & Funny colors jess1975 SUSE / openSUSE 7 04-27-2005 09:28 AM
Disabling ARP probes after receiving an ARP request AltecLansingMan Linux - Networking 1 03-30-2004 01:25 PM
How to create an proxyarp entry in arp table by using arp command? himalayas Linux - Networking 0 06-04-2003 04:14 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:20 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration