Network Question

Brian Kelsay bkelsay at home.com
Mon Aug 6 19:17:22 CDT 2001 

I'm getting about a hit a minute and all are being happily rejected by
my firewall.  The light on my cable "modem" is blinking profusely
though, like way more hits are coming in than the firewall is recording.
They seem to be checking port 80 on my machine and coming from a wide
range of addresses.

----- Original Message -----
From: "Mike Coleman" <mkc at mathdogs.com>
To: "Baker" <baker at cyborgworkshop.com>
Cc: "Gene Dascher" <gedascher at multiservice.com>; <kclug at kclug.org>
Sent: Monday, August 06, 2001 12:14 PM
Subject: Re: Network Question

> Baker <baker at cyborgworkshop.com> writes:
> > You could do that, but I will tell you right now what you are
seeing. Lots
> > and Lots of connections to port 80.   I have had over 1000 different
hosts
> > hit my cable modem in the past 48 hours according to my firewall.
This
> > probes are now using up more traffic then my normal web surfing
does.
>
> I'm seeing a lot of traffic on my RR cable as well.  I'm getting hits
from
> code red, but not a huge number of them (one every few minutes).
>
> 12:07:18.039529 arp who-has mkc-65-26-104-152.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:18.214158 arp who-has mkc-65-26-104-30.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:18.353074 arp who-has mkc-65-26-104-248.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:18.551524 arp who-has mkc-65-26-104-24.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:18.567719 arp who-has mkc-31-236-26.kc.rr.com tell
mkc-31-236-1.kc.rr.com
> 12:07:18.655798 arp who-has mkc-65-26-104-23.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:19.233262 arp who-has mkc-31-237-210.kc.rr.com tell
mkc-31-236-1.kc.rr.com
> 12:07:19.585490 arp who-has mkc-31-236-136.kc.rr.com tell
mkc-31-236-1.kc.rr.com
> 12:07:19.589454 arp who-has mkc-31-236-205.kc.rr.com tell
mkc-31-236-1.kc.rr.com
> 12:07:19.714155 arp who-has mkc-65-26-104-143.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:19.748413 arp who-has mkc-65-26-104-21.kc.rr.com tell
mkc-65-26-104-1.kc.rr.com
> 12:07:19.832941 arp who-has mkc-31-237-70.kc.rr.com tell
mkc-31-236-1.kc.rr.com
> 12:07:19.924151 arp who-has mkc-31-237-225.kc.rr.com tell
mkc-31-236-1.kc.rr.com
>
> (For the names with four numbers, the four numbers are the IP address.
For
> the names with three numbers, that's the address on 24.* net, I
believe.  I'm
> currently 'mkc-65-26-104-73.kc.rr.com'.)
>
> So maybe comcast is having similar arp storms?  I'm tempted to blame
this on
> code red, but I'm not sure.  Shouldn't the routers prevent these arp
requests
> from being (apparently) spread so widely over RR's net?
>
> --
> Mike Coleman, mkc at mathdogs.com
> http://www.mathdogs.com
> problem solving, expert software development
>
>
majordomo at kclug.org

More information about the Kclug mailing list