Charter ARP Leak

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Dec 29 16:49:48 UTC 2014


On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
> Here is a small excerpt I am seeing.
> 
> 06:04:04.760869  In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1
> 06:04:04.761950  In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 75.135.155.27 tell 75.135.152.1

The interesting thing is that they're all .1 addresses.  It's almost as if
the one broadcast domain has at least 7 different address spaces on it.

I've long seen similar in Comcast country.  My CPE router has an upstream
interface:

ge00      Link encap:Ethernet  HWaddr 10:0D:7F:64:CA:0C  
          inet addr:73.171.123.11  Bcast:73.171.123.255  Mask:255.255.254.0

but yet I see a continual background flux of 6-8 arp requests a second, mostly
from what appear to be routers for other subnets:

# cpdump -i ge00 -n arp -c 2000 | awk '{print $7}' | sort | uniq -c
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ge00, link-type EN10MB (Ethernet), capture size 65535 bytes
2000 packets captured
2012 packets received by filter
0 packets dropped by kernel
     38 100.93.216.1,
     16 184.121.18.1,
     18 184.126.32.1,
     36 24.127.42.1,
     34 24.127.50.1,
     20 24.131.5.1,
     18 50.134.17.1,
     17 50.134.55.1,
     37 50.134.64.1,
     91 50.218.88.1,
    142 50.220.88.1,
    298 71.197.0.1,
    183 71.62.120.1,
     81 71.63.61.1,
    167 73.171.122.1,     (my putative upstream router)
      1 73.171.123.11,    (my box timed out its arp entry for upstream)
    131 73.171.77.1,
    511 73.31.150.1,
    157 73.31.41.1,
      3 96.120.18.205,

I've annotated the 2 lines I *expected* to see...

The other odd part is that of 20 sources, only 7 appear to have PTR entries....

When I first noticed this and mentioned it to somebody, they responded
"Forget it, Jake.  It's Chinatown".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141229/2745c9b8/attachment.sig>


More information about the NANOG mailing list