LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2014, 01:41 AM   #1
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 487
Blog Entries: 13

Rep: Reputation: 47

I've an internet connection to my ISP over something like (but not exactly) a hyperlan2 wireless link (the antenna understands pppoe), a homebrew WRAP based on this article that I wrote myself.
In short I've wlan0 and eth0 bridged to handle local traffic (192.168.1.1/24) and eth1 dedicated for the pppoe link and firewall for masquerading outbound traffic and basic protection.
Bundled with internet my ISP gives me VOIP at an intresting rate (at least that holds true in my country but not for everywhere in the world). I was not told much about that. The antenna kit comes with a POE injector that has 4 plugs: power plug, ARJ45 that goes to antenna (ODU),ARJ45 for PPPOE and RJ11 for the phone (the power injector box does the VOIP stuff using unspecified protocol {SIP or god knows what else}). The label in the back of the OPE injector says "Airstrema 4001".

Lately I've been noticing that the antenna crashes braking my internet link status too often. Sometimes I haveto restart pppoe connection several times over short periods and at other times the link may stay up for a week or so.
The alternating periods ring a bell in my head that someone may be trying to hack into my home network and causing the antenna to crash.

I don't know much about the antenna itself: it was installed by ISP and all I was told is that it understands pppoe so the only thing I can do is look for suspicious stuff arriving ar my router ... and indeed I find some odd stuff arriving at my router:
here's the arp table cache stripped from the stuff coming from br0
Code:
? (192.168.1.49) at 6c:62:6d:00:8d:27 [ether] on eth1
? (192.168.1.22) at 00:0c:42:be:91:54 [ether] on eth1
? (192.168.1.30) at 80:c1:6e:e9:a8:77 [ether] on eth1
? (169.254.99.0) at 00:1b:fc:e4:99:31 [ether] on eth1
? (192.168.1.108) at 20:89:84:83:74:0c [ether] on eth1
? (192.168.1.55) at 10:fe:ed:a0:36:25 [ether] on eth1
? (192.168.1.130) at 00:21:5d:1a:07:3a [ether] on eth1
? (169.254.48.158) at 88:ae:1d:f6:6c:82 [ether] on eth1
? (192.168.1.36) at 00:17:a4:17:af:b6 [ether] on eth1
? (192.168.1.117) at 44:87:fc:a5:4c:b3 [ether] on eth1
? (192.168.1.48) at d8:9d:67:c7:30:23 [ether] on eth1
Now how is it that those IP addresses make their way into my router's arp cache ? and moreover how is it that those ip addresses belonging private network addressing are reaching me from a WAN connection ?


Should I be asking the same questions to the ISP ?

I did a bit of extra research and it appears likely that my antenna uses a proprietary protocol EOLOWave (it boasts about getting the best from hperlan2, wimax and LTE, taking out all the stuff non needed for static links wireless links and achieving fantastic latency along with 4 times the spectral efficiency of hyperlan2).
Not sure if this is any help tough !

I got back to work and showed my question to a colleague in the NOC group and he told me that probably those are dew to arp announcements/requests reaching my antenna from other antennae connected to the same BTS ... and I get to see them on my router because pppoe works between layer 2 and 3.
That could be good for explaining how the MACs get in mt router's arp cache but it's still not satisfactory as to why other antennae should be sending arp announcements/requests on a WAN link with private subnet IP ?
Maybe misconfiguration on the other link side ? or is it malicious intent ?

Last edited by unSpawn; 08-21-2014 at 06:54 PM. Reason: //Retain 0-reply state
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ARP tables showing other subnet mac addresses homerwsmith Linux - Newbie 3 03-27-2014 05:02 PM
arp giving me incomplete mac addresses iamnotherbert Linux - Networking 2 01-02-2014 07:36 AM
same MAC address for different IP addresses in ARP response VinodVandkar Linux - Networking 5 01-25-2013 05:32 PM
Difference between ARP and iwgetid -ar MAC addresses? chconnor Linux - Networking 7 04-17-2010 03:21 AM
IP addresses Vs MAC and ARP KinnowGrower Linux - Networking 6 09-15-2008 03:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration