Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Apr 2008 22:30:06 +0300
From:      Andriy Gapon <avg@icyb.net.ua>
To:        Bill Moran <wmoran@collaborativefusion.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: arplookup 10.0.0.68 failed: host is not on local network
Message-ID:  <47FA763E.8020509@icyb.net.ua>
In-Reply-To: <20080407085923.42271757.wmoran@collaborativefusion.com>
References:  <47F8F5E9.6060303@icyb.net.ua> <20080407085923.42271757.wmoran@collaborativefusion.com>

next in thread | previous in thread | raw e-mail | index | archive | help
on 07/04/2008 15:59 Bill Moran said the following:
> In response to Andriy Gapon <avg@icyb.net.ua>:
> 
>> My message log is spammed with thousands of the messages like quoted
>> below to the extent that this could be considered some form of an attack.
>> kernel: arplookup 10.0.0.68 failed: host is not on local network
>> kernel: arplookup 10.0.0.6 failed: host is not on local network
>> kernel: arplookup 10.0.0.68 failed: host is not on local network
>> kernel: arplookup 10.0.0.6 failed: host is not on local network
>>
>> I wasn't there to see how this started, but I was able to monitor a
>> little bit of the process and here are my uneducated guesses. Uneducated
>> because I didn't examine sources yet.
>>
>> There should not be any hosts with 10.0.0.0/24 addresses on this
>> network. There are no special routes for it on my machine, outgoing
>> packets should go to 'default'.
>>
>> I suspect that this was triggered when an offending machine sent an arp
>> response packet (that was unasked for) to my machine saying that
>> 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it
> 
> That prefix belongs to Epox Computers.  Any Epox motherboards on your
> network?

This is something that I should have started with. This is not an
intra-organization LAN, this is so called "home network", where an ISP
provides service via ethernet.

>> broadcast an arp request asking to tell my MAC address to that machine.
>> And I suspect that it tricked the OS into (almost endlessly) trying to
>> do an arp lookup for that 10.0.0.X address. But updating arp table
>> failed for the obvious reason. I saw with tcpdump that my machine indeed
>> sent arp request for 10.0.0.X address.
>>
>> I see two issues here:
>> 1. we should not send arp requests for the addresses that are not
>> supposed to be on the local network(s)
>> 2. there is no way to disable or throttle the log messages
> 
> I suspect this is operator error.  You mention no details about your
> local network, but I would guess that you have two separate IP ranges
> on a single segment.  Has the "attack" ended?  If not, grab some tcpdumps
> and see who's actually sending those packets.
> 
> What IP address does this machine have?  What's the network like that
> it's connected to?

The ISP controls which addresses are on this network. And it might be
very well be that this is an operator error indeed. I.e. incorrectly
configured network mask for some special service machine.
It is not the fact itself that I am concerned about, but how the FreeBSD
machine (RELENG_7, btw) responded to it.

It seems that everything in norm now, I did some tcpdump-ing just in
case and here are some results:
12. 076469 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68
        0x0000:  0001 0800 0604 0001 0004 6101 2345 0a00  ..........a.#E..
        0x0010:  0044 0000 0000 0000 0a00 0013 0000 0000  .D..............
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
8. 942133 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68
        0x0000:  0001 0800 0604 0001 0004 6101 2345 0a00  ..........a.#E..
        0x0010:  0044 0000 0000 0000 0a00 0013 0000 0000  .D..............
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
12. 124816 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 60: arp who-has 10.0.0.20 tell 10.0.0.68
        0x0000:  0001 0800 0604 0001 0004 6101 2345 0a00  ..........a.#E..
        0x0010:  0044 0000 0000 0000 0a00 0014 0000 0000  .D..............
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

In general it seems that 10.0.0.68 does some sort of consecutive
scanning of the network, but now it is limited to 10.0.0.0/24 range. No
other addresses are queried.

I searched through some Russian-language forums and it seems that some
MS(r) Virus might be doing that. In addition to ARP traffic I've also
just sniffed some quite strange packets from the same host:

226632 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype Unknown
(0x1702), length 293:

I guess I should report this to my ISP.

-- 
Andriy Gapon



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47FA763E.8020509>