* * * * *

                              Packets from Mars

Another thing I'm seeing with the LaBrea Tarpit software [1]—wierd ARP
(Address Resolution Protocol) packets.

I've got the logging set to “verbose” (in case any problems come up) and one
result is that it logs all the ARP requests that it sees, but can't answer
(can't answer them because they're outside the normal netblock LaBrea is
“answering” for). So I see a bunch for other public IP (Internet Protocol)
addresses we have. And the various private IP addresses that I'm not exactly
sure what they're being used for, but hey, they're private.

And then … there are the ARP requests that shouldn't exist:

> Jan  6 00:55:40 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.64
> Jan  6 00:55:42 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
> Jan  6 00:55:43 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
> Jan  6 00:55:43 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
> Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 66.252.226.46
> Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
> Jan  6 00:55:44 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
> Jan  6 00:55:45 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.254 TELL 64.76.67.236
> Jan  6 00:55:47 ltp : IP address not in netblock - ARP WHO-HAS 64.76.67.1   TELL 64.76.67.248
>

I have no clue where these are coming from.

None, and I mean none of our addresses are from the 64.0.0.0/8 block. That
doesn't appear to be any of our upstream providers. I can traceroute to
64.76.67.248 but why I'm seeing ARP requests from it is beyond me. Especially
since ARP requests can't be routed! It's something local sending it out, or
it's LaBrea misinterpreting the ARP packet (since it can be used for more
than just IP→MAC (Media Access Control) address translations).

One thing for sure, I'll have to check the code, and possibly modify LaBrea
to log the MAC address so I can track this down. Then again, I have to hit
the code anyway, since technically, the MAC address LaBrea uses is wrong (the
“global/local” bit in the address is not set, and it should be).

[1] gopher://gopher.conman.org/0Phlog:2006/01/05.2

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.