Hi,
On my server, there are a lot arp packets and I don't understand what happens. The server is connected only to the Internet, so there is no LAN and should be no arp packets or eventually only a few between the server and a gateway or something.

with tcpdump I get (many packets per second):
This is some type of arp ddos or something...

Could anyone help me in discovering what happens?
How can I block arp with iptables (it is below ip and the ip rules doesn't affect arp)?
What script is behind this (if it is any)?

Thanks

Well, if your firewall is setup right then you will not have to worry.

I did a whois and those ips are coming from overseas but the whois command can be tricky considering spoofing and all of the other things you can do.

I would download and install chkrootkit and see if there are any issues with your box.

Since never seeing an attack of this nature. A good google search could possibly help you.

---------------------------------

whois 193.25.113.213
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '193.25.112.0 - 193.25.113.255'

inetnum: 193.25.112.0 - 193.25.113.255
netname: SC-ETP-CONSULTING-SRL
descr: SC ETP Consulting SRL
country: RO
admin-c: RC1967-RIPE
tech-c: RC1967-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ETP-MNT
mnt-routes: ETP-MNT
mnt-domains: ETP-MNT
source: RIPE # Filtered

person: Razvan Cojocaru
address: Zambilelor 62-64
phone: +40-21-2423201
fax-no: +40-21-2423201
e-mail: jester@etp.ro
nic-hdl: RC1967-RIPE
mnt-by: ETP-MNT
source: RIPE # Filtered

% Information related to '193.25.113.0/24AS31244'

route: 193.25.113.0/24
descr: ETP
origin: AS31244
mnt-by: ETP-MNT
source: RIPE # Filtered

---------------------------------------

whois 81.180.134.87
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '81.180.134.0 - 81.180.134.255'

inetnum: 81.180.134.0 - 81.180.134.255
netname: SC-ETP-CONSULTING-SRL
descr: SC ETP Consulting SRL
descr: Zambilelor 62-64, Bucuresti, Romania
country: ro
admin-c: SG1722-RIPE
tech-c: RC1967-RIPE
status: ASSIGNED PA
mnt-by: AS3233-MNT
mnt-lower: AS3233-MNT
mnt-routes: AS8708-MNT
source: RIPE # Filtered

person: Sorin Gherghe
address: Zambilelor 62-64
phone: +40-21-2423201
fax-no: +40-21-2423201
e-mail: sorin@etp.ro
nic-hdl: SG1722-RIPE
mnt-by: ETP-MNT
source: RIPE # Filtered

person: Razvan Cojocaru
address: Zambilelor 62-64
phone: +40-21-2423201
fax-no: +40-21-2423201
e-mail: jester@etp.ro
nic-hdl: RC1967-RIPE
mnt-by: ETP-MNT
source: RIPE # Filtered

% Information related to '81.180.128.0/19AS8708'

route: 81.180.128.0/19
descr: RDSNET
origin: AS8708
mnt-by: AS8708-MNT
source: RIPE # Filtered

----------------------------------------

whois 193.25.113.193
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '193.25.112.0 - 193.25.113.255'

inetnum: 193.25.112.0 - 193.25.113.255
netname: SC-ETP-CONSULTING-SRL
descr: SC ETP Consulting SRL
country: RO
admin-c: RC1967-RIPE
tech-c: RC1967-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ETP-MNT
mnt-routes: ETP-MNT
mnt-domains: ETP-MNT
source: RIPE # Filtered

person: Razvan Cojocaru
address: Zambilelor 62-64
phone: +40-21-2423201
fax-no: +40-21-2423201
e-mail: jester@etp.ro
nic-hdl: RC1967-RIPE
mnt-by: ETP-MNT
source: RIPE # Filtered

% Information related to '193.25.113.0/24AS31244'

route: 193.25.113.0/24
descr: ETP
origin: AS31244
mnt-by: ETP-MNT
source: RIPE # Filtered

My guess is you're attached to a poorly configured switch. Do you know much about the network this machine is attached to?

He has to do the tracing and whois commands because I'm probably located on a totally different network.

After you do your tracing, whois commands, and export your log. Report the log, traces, and whois commands to your ISP.

But spoofing can be an issue.

What type of internet connection do you have? If it's some type of shared subscriber line like cable, then you'd likely expect to see lots of network traffic, esp arp. The fact that all the lookups are originating from a handfull of systems makes that seem likely.

There actually is an arptables/ebtables tool for writing firewall rules specifically for arp. There are also several tools (arpwatch, arpstar) for detecting malicious arp traffic.

Yes the box is connected using a CaTV line.
So, you say these packets are normal.
I will try to see what arptables does.
I don't think arpwatch is useful here, becouse the server is not connected to any LAN or something like this.

Thanks

There is a standard , I think its called Docsis that defines new cable infrastructure.( Depending on your modem and your isp you have a secure one)
Haven't read it but I think its quite common to have these arp , I just thought some would be filtered by a switch at your isp.

I thought you were located in the US. It's a totally different ballgame trying to trouble-shoot this from the States because the routing tables can change and did after doing another trace.

I would trace out these ips and find out where they are located then probably contact your ISP after that but you have to remember that people do probe a lot. Which could be a reason for seeing this type of traffic. Something on the network could have been on the fritz sending arp packages everywhere.

Do you have a friend that possesses the same entries in his log? Like I said this might not be a big deal.

brianthegreat, you are confusing the higher level 'whois' service with a normal part of arp, Address Resolution Protocol.

The arp protocol is used to translate a known IP into a MAC layer address. This is used to send traffic to a specific node on a local network. The original poster is connected to a 'LAN', that is composed of a few dozens or hundreds of his neighbours that are sharing the cable supplied by his ISP. This is a standard part of TCP/IP. ARP packets are sent as broadcasts, which is why you are seeing them.

You can see what MAC addresses are known to your IP stack at any time by typing the 'arp' command. The accumulated table of MAC's vs IP's will be displayed. If you are alarmed by seeing foreign arp traffic, you will have to put a router between your server and 'the internet' (which is actually a LAN owned by the ISP). The ARP traffic will then be stopped at the 'internet' side of the router, although it's never going to go away.

There are many online resources that can give a detailed explanation of the workings of ARP.

--- rod.

Many cable networks are configured in such a way that all the cable users in your neighborhood are literally sharing a connection as if it were a LAN (as theNbomr described) and can therefore see each others traffic. In some cases the cable modem will filter out all the unicast traffic that isn't directed at you, but will still allow the broadcast traffic through (which includes arp). In other cases you can actually observe entire data streams.