Re: arplookup 10.0.0.68 failed: host is not on local network

on 07/04/2008 15:59 Bill Moran said the following:
In response to Andriy Gapon <avg@xxxxxxxxxxx>:

My message log is spammed with thousands of the messages like quoted
below to the extent that this could be considered some form of an attack.
kernel: arplookup 10.0.0.68 failed: host is not on local network
kernel: arplookup 10.0.0.6 failed: host is not on local network
kernel: arplookup 10.0.0.68 failed: host is not on local network
kernel: arplookup 10.0.0.6 failed: host is not on local network

I wasn't there to see how this started, but I was able to monitor a
little bit of the process and here are my uneducated guesses. Uneducated
because I didn't examine sources yet.

There should not be any hosts with 10.0.0.0/24 addresses on this
network. There are no special routes for it on my machine, outgoing
packets should go to 'default'.

I suspect that this was triggered when an offending machine sent an arp
response packet (that was unasked for) to my machine saying that
10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it

That prefix belongs to Epox Computers. Any Epox motherboards on your
network?

This is something that I should have started with. This is not an
intra-organization LAN, this is so called "home network", where an ISP
provides service via ethernet.

broadcast an arp request asking to tell my MAC address to that machine.
And I suspect that it tricked the OS into (almost endlessly) trying to
do an arp lookup for that 10.0.0.X address. But updating arp table
failed for the obvious reason. I saw with tcpdump that my machine indeed
sent arp request for 10.0.0.X address.

I see two issues here:
1. we should not send arp requests for the addresses that are not
supposed to be on the local network(s)
2. there is no way to disable or throttle the log messages

I suspect this is operator error. You mention no details about your
local network, but I would guess that you have two separate IP ranges
on a single segment. Has the "attack" ended? If not, grab some tcpdumps
and see who's actually sending those packets.

What IP address does this machine have? What's the network like that
it's connected to?

The ISP controls which addresses are on this network. And it might be
very well be that this is an operator error indeed. I.e. incorrectly
configured network mask for some special service machine.
It is not the fact itself that I am concerned about, but how the FreeBSD
machine (RELENG_7, btw) responded to it.

It seems that everything in norm now, I did some tcpdump-ing just in
case and here are some results:
12. 076469 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68
0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E..
0x0010: 0044 0000 0000 0000 0a00 0013 0000 0000 .D..............
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
8. 942133 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68
0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E..
0x0010: 0044 0000 0000 0000 0a00 0013 0000 0000 .D..............
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
12. 124816 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.20 tell 10.0.0.68
0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E..
0x0010: 0044 0000 0000 0000 0a00 0014 0000 0000 .D..............
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............

In general it seems that 10.0.0.68 does some sort of consecutive
scanning of the network, but now it is limited to 10.0.0.0/24 range. No
other addresses are queried.

I searched through some Russian-language forums and it seems that some
MS(r) Virus might be doing that. In addition to ARP traffic I've also
just sniffed some quite strange packets from the same host:

226632 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype Unknown
(0x1702), length 293:

I guess I should report this to my ISP.

--
Andriy Gapon
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Arplookup strange messages
    ... host is not on local network ... host on this network; other addresses within 0.0.0.0/8 may be used to ... I think in packet filter you can specify 0/32 and it will automatically be replaced by the ip on the relevant interface, this is useful when you have nics configured with dhcp. ... not all programs support this and will instead try to make an arplookup which is bound to fail. ...
    (freebsd-questions)
  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... If the second card is lost on HOST PC then DSL Internet does not connect. ... Ditch the second network card in the one ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Emailing web form information to me
    ... Which version of Publisher are you using? ... both FTP uploading and FPSE uploading. ... use of FPSE and using the form program provided by your host? ... Instead you need to map a network ...
    (microsoft.public.publisher.webdesign)
  • 2wire router configuration
    ... firewall on this router and to configure my network ... Go to Home Network -> Advanced Settings ... X Default DHCP Pool ... Configure host to use DHCP with host name sent ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)