I'm seeing a lot of pings and http requests from ip addresses 64.5.53.10 - 64.5.53.13.

Is this some sort of monitoring done locally? the IP addresses are assigned to ThePlanet's netblock, so I'm assuming so, and I've altered my firewall rules to permit it.

I'm also seeing 210.205.220.86 probing for kuang on port 17300. But that looks like the bad guys fishing.

Paul

My logs already contain a few hundred icmp pings from machines that appear to be in ThePlanet's IP space... (aside from the tens of thousands from 64.5.53.8/29...) I'm only seeing two distinct MAC addresses so far, but quite a spread of IP addresses.

If anyone knows of a legitimate reason why I would be seeing this odd ping traffic, please let me know, as I will be starting to report to DShield in the next day or two.

Thanks,

Paul

Hello Paul,

If you reverse 64.5.53.[6-13], you'd discover those are the IPs assigned to the host machines at linode.com

The traffic you're seeing is generated via nmap -sP ping scan. Check the man page for the details, but it involves sending icmp, ack and syn packets to (random) port 80 as methods to determine if a machine is still responding. Its harmless and you should allow the traffic from the hosts. (note: the traffic is counted against your bandwidth, this is wrong, we are aware of the issue and should have a "real soon now").

We're using this method to keep the Linode's networking active in our system; otherwise connectivity might be lost to your Linode.

-Chris

Thanks Chris, good to have that confirmed. Should've thought to do a reverse DNS lookup (today doesn't seem to be one of my more lucid ones either )

Any reason for picking http (80)? wouldn't ident (113) be a better choice?

what value are you using for --scan_delay?

I found your last comment puzzling. The UML networking fails if there isn't regular network activity?

Paul

This is probably related to the monitoring, but I'm seeing hundreds of ARP who-has requests per minute from various linode administrative address to the entire address range of several /24 networks. I don't recall offhand how big an ARP request is, but anything multiplied by hundreds of times - perhaps even 1000 times - per minute is a lot of traffic, and a significant portion of the ARP requests I'm seeing are not related to IP addresses on my subnet.

Here is a sample (note that it represents 1 second of ARP traffic):

22:26:10.013737 arp who-has 69.56.173.232 tell 64.5.53.10
22:26:10.013760 arp who-has 69.56.173.233 tell 64.5.53.10
22:26:10.013783 arp who-has 69.56.173.234 tell 64.5.53.10
22:26:10.013805 arp who-has 69.56.173.235 tell 64.5.53.10
22:26:10.013827 arp who-has 69.56.173.236 tell 64.5.53.10
22:26:10.013850 arp who-has 69.56.173.237 tell 64.5.53.10
22:26:10.013873 arp who-has 69.56.173.238 tell 64.5.53.10
22:26:10.013897 arp who-has 69.56.173.239 tell 64.5.53.10
22:26:10.013931 arp who-has 69.56.173.240 tell 64.5.53.10
22:26:10.065887 arp who-has 69.56.173.241 tell 64.5.53.10
22:26:10.065916 arp who-has 69.56.173.242 tell 64.5.53.10
22:26:10.065938 arp who-has 69.56.173.243 tell 64.5.53.10
22:26:10.065960 arp who-has 69.56.173.244 tell 64.5.53.10
22:26:10.065982 arp who-has 69.56.173.245 tell 64.5.53.10
22:26:10.066004 arp who-has 69.56.173.246 tell 64.5.53.10
22:26:10.066027 arp who-has 69.56.173.247 tell 64.5.53.10
22:26:10.066049 arp who-has 69.56.173.248 tell 64.5.53.10
22:26:10.066072 arp who-has 69.56.173.249 tell 64.5.53.10
22:26:10.066095 arp who-has 69.56.173.250 tell 64.5.53.10
22:26:10.066117 arp who-has 69.56.173.86 tell 69.56.173.10
22:26:10.068613 arp who-has 69.56.173.251 tell 64.5.53.10
22:26:10.068640 arp who-has 69.56.173.252 tell 64.5.53.10
22:26:10.068663 arp who-has 69.56.173.253 tell 64.5.53.10
22:26:10.068685 arp who-has 69.56.173.254 tell 64.5.53.10
22:26:10.175596 arp who-has 69.56.173.189 tell 64.5.53.13
22:26:10.175626 arp who-has 69.56.173.190 tell 64.5.53.13
22:26:10.175649 arp who-has 69.56.173.191 tell 64.5.53.13
22:26:10.175671 arp who-has 69.56.173.192 tell 64.5.53.13
22:26:10.175693 arp who-has 69.56.173.193 tell 64.5.53.13
22:26:10.175716 arp who-has 69.56.173.194 tell 64.5.53.13
22:26:10.175837 arp who-has 69.56.173.195 tell 64.5.53.13
22:26:10.176071 arp who-has 69.56.173.196 tell 64.5.53.13
22:26:10.187867 arp who-has 69.56.173.197 tell 64.5.53.13
22:26:10.187893 arp who-has 69.56.173.198 tell 64.5.53.13
22:26:10.187915 arp who-has 69.56.173.199 tell 64.5.53.13
22:26:10.187936 arp who-has 69.56.173.200 tell 64.5.53.13
22:26:10.187958 arp who-has 69.56.173.201 tell 64.5.53.13
22:26:10.187981 arp who-has 69.56.173.202 tell 64.5.53.13
22:26:10.188003 arp who-has 69.56.173.203 tell 64.5.53.13
22:26:10.188026 arp who-has 69.56.173.204 tell 64.5.53.13
22:26:10.188048 arp who-has 69.56.173.205 tell 64.5.53.13
22:26:10.188070 arp who-has 69.56.173.206 tell 64.5.53.13
22:26:10.188093 arp who-has 69.56.173.207 tell 64.5.53.13
22:26:10.233452 arp who-has 69.56.173.208 tell 64.5.53.13
22:26:10.233482 arp who-has 69.56.173.209 tell 64.5.53.13
22:26:10.233504 arp who-has 69.56.173.210 tell 64.5.53.13
22:26:10.233526 arp who-has 69.56.173.211 tell 64.5.53.13
22:26:10.233548 arp who-has 69.56.173.212 tell 64.5.53.13
22:26:10.233570 arp who-has 69.56.173.213 tell 64.5.53.13
22:26:10.233593 arp who-has 69.56.173.214 tell 64.5.53.13
22:26:10.233615 arp who-has 69.56.173.215 tell 64.5.53.13
22:26:10.233638 arp who-has 69.56.173.216 tell 64.5.53.13
22:26:10.233660 arp who-has 69.56.173.217 tell 64.5.53.13
22:26:10.233682 arp who-has 69.56.173.218 tell 64.5.53.13
22:26:10.234441 arp who-has 69.56.173.219 tell 64.5.53.13
22:26:10.234466 arp who-has 69.56.173.220 tell 64.5.53.13
22:26:10.234486 arp who-has 69.56.173.221 tell 64.5.53.13
22:26:10.234506 arp who-has 69.56.173.222 tell 64.5.53.13
22:26:10.234527 arp who-has 69.56.173.223 tell 64.5.53.13
22:26:10.264522 arp who-has 69.56.173.221 tell 64.5.53.10
22:26:10.264551 arp who-has 69.56.173.222 tell 64.5.53.10
22:26:10.264574 arp who-has 69.56.173.223 tell 64.5.53.10
22:26:10.264597 arp who-has 69.56.173.224 tell 64.5.53.10
22:26:10.264620 arp who-has 69.56.173.225 tell 64.5.53.10
22:26:10.264643 arp who-has 69.56.173.226 tell 64.5.53.10
22:26:10.264666 arp who-has 69.56.173.227 tell 64.5.53.10
22:26:10.264689 arp who-has 69.56.173.228 tell 64.5.53.10
22:26:10.264712 arp who-has 69.56.173.229 tell 64.5.53.10
22:26:10.272653 arp who-has 69.56.173.230 tell 64.5.53.10
22:26:10.272679 arp who-has 69.56.173.231 tell 64.5.53.10
22:26:10.288689 arp who-has 69.56.173.154 tell 64.5.53.13
22:26:10.288718 arp who-has 69.56.173.155 tell 64.5.53.13
22:26:10.288741 arp who-has 69.56.173.156 tell 64.5.53.13
22:26:10.288764 arp who-has 69.56.173.157 tell 64.5.53.13
22:26:10.288786 arp who-has 69.56.173.158 tell 64.5.53.13
22:26:10.288810 arp who-has 69.56.173.159 tell 64.5.53.13
22:26:10.288833 arp who-has 69.56.173.160 tell 64.5.53.13
22:26:10.288856 arp who-has 69.56.173.161 tell 64.5.53.13
22:26:10.288877 arp who-has 69.56.173.162 tell 64.5.53.13
22:26:10.288900 arp who-has 69.56.173.163 tell 64.5.53.13
22:26:10.288922 arp who-has 69.56.173.164 tell 64.5.53.13
22:26:10.291997 arp who-has 69.56.173.165 tell 64.5.53.13
22:26:10.292023 arp who-has 69.56.173.166 tell 64.5.53.13
22:26:10.292044 arp who-has 69.56.173.167 tell 64.5.53.13
22:26:10.292065 arp who-has 69.56.173.168 tell 64.5.53.13
22:26:10.292085 arp who-has 69.56.173.169 tell 64.5.53.13
22:26:10.292105 arp who-has 69.56.173.170 tell 64.5.53.13
22:26:10.292125 arp who-has 69.56.173.171 tell 64.5.53.13
22:26:10.292145 arp who-has 69.56.173.172 tell 64.5.53.13
22:26:10.292165 arp who-has 69.56.173.173 tell 64.5.53.13
22:26:10.292184 arp who-has 69.56.173.174 tell 64.5.53.13
22:26:10.292204 arp who-has 69.56.173.175 tell 64.5.53.13
22:26:10.336478 arp who-has 69.56.173.176 tell 64.5.53.13
22:26:10.336507 arp who-has 69.56.173.177 tell 64.5.53.13
22:26:10.336529 arp who-has 69.56.173.178 tell 64.5.53.13
22:26:10.336551 arp who-has 69.56.173.179 tell 64.5.53.13
22:26:10.336574 arp who-has 69.56.173.180 tell 64.5.53.13
22:26:10.336596 arp who-has 69.56.173.181 tell 64.5.53.13
22:26:10.336618 arp who-has 69.56.173.182 tell 64.5.53.13
22:26:10.336640 arp who-has 69.56.173.183 tell 64.5.53.13
22:26:10.336661 arp who-has 69.56.173.184 tell 64.5.53.13
22:26:10.336684 arp who-has 69.56.173.185 tell 64.5.53.13
22:26:10.336706 arp who-has 69.56.173.186 tell 64.5.53.13
22:26:10.343315 arp who-has 69.56.173.187 tell 64.5.53.13
22:26:10.343346 arp who-has 69.56.173.188 tell 64.5.53.13
22:26:10.343516 arp who-has 64.5.53.166 tell 64.5.53.13
22:26:10.343539 arp who-has 64.5.53.169 tell 64.5.53.13
22:26:10.343563 arp who-has 64.5.53.171 tell 64.5.53.13
22:26:10.355443 arp who-has 64.5.53.172 tell 64.5.53.13
22:26:10.355466 arp who-has 64.5.53.181 tell 64.5.53.13
22:26:10.355484 arp who-has 64.5.53.182 tell 64.5.53.13
22:26:10.355504 arp who-has 64.5.53.185 tell 64.5.53.13
22:26:10.355527 arp who-has 64.5.53.196 tell 64.5.53.13
22:26:10.355550 arp who-has 64.5.53.197 tell 64.5.53.13
22:26:10.615680 arp who-has 69.56.173.227 tell 64.5.53.12
22:26:10.640332 arp who-has 69.56.173.228 tell 64.5.53.12
22:26:10.640361 arp who-has 69.56.173.229 tell 64.5.53.12
22:26:10.640383 arp who-has 69.56.173.230 tell 64.5.53.12
22:26:10.640406 arp who-has 69.56.173.231 tell 64.5.53.12
22:26:10.640428 arp who-has 69.56.173.232 tell 64.5.53.12
22:26:10.640451 arp who-has 69.56.173.233 tell 64.5.53.12
22:26:10.640474 arp who-has 69.56.173.234 tell 64.5.53.12
22:26:10.640496 arp who-has 69.56.173.235 tell 64.5.53.12
22:26:10.640518 arp who-has 69.56.173.236 tell 64.5.53.12
22:26:10.640539 arp who-has 69.56.173.237 tell 64.5.53.12
22:26:10.640560 arp who-has 69.56.173.238 tell 64.5.53.12
22:26:10.642413 arp who-has 69.56.173.239 tell 64.5.53.12
22:26:10.642442 arp who-has 69.56.173.240 tell 64.5.53.12
22:26:10.642466 arp who-has 69.56.173.241 tell 64.5.53.12
22:26:10.642490 arp who-has 69.56.173.242 tell 64.5.53.12
22:26:10.642512 arp who-has 69.56.173.243 tell 64.5.53.12
22:26:10.642536 arp who-has 69.56.173.244 tell 64.5.53.12
22:26:10.642559 arp who-has 69.56.173.245 tell 64.5.53.12
22:26:10.642582 arp who-has 69.56.173.246 tell 64.5.53.12
22:26:10.642604 arp who-has 69.56.173.247 tell 64.5.53.12
22:26:10.642625 arp who-has 69.56.173.248 tell 64.5.53.12
22:26:10.642648 arp who-has 69.56.173.249 tell 64.5.53.12
22:26:10.681466 arp who-has 69.56.173.250 tell 64.5.53.12
22:26:10.681493 arp who-has 69.56.173.251 tell 64.5.53.12
22:26:10.681516 arp who-has 69.56.173.252 tell 64.5.53.12
22:26:10.681538 arp who-has 69.56.173.253 tell 64.5.53.12
22:26:10.681562 arp who-has 69.56.173.254 tell 64.5.53.12
22:26:10.681584 arp who-has 64.5.53.43 tell 64.5.53.6
22:26:10.681604 arp who-has 64.5.53.44 tell 64.5.53.6
22:26:10.681627 arp who-has 64.5.53.45 tell 64.5.53.6
22:26:10.681651 arp who-has 64.5.53.51 tell 64.5.53.6
22:26:10.681679 arp who-has 64.5.53.52 tell 64.5.53.6
22:26:10.681702 arp who-has 64.5.53.54 tell 64.5.53.6
22:26:10.692389 arp who-has 64.5.53.58 tell 64.5.53.6
22:26:10.692421 arp who-has 64.5.53.59 tell 64.5.53.6
22:26:10.692446 arp who-has 64.5.53.64 tell 64.5.53.6
22:26:10.692474 arp who-has 64.5.53.66 tell 64.5.53.6
22:26:10.692499 arp who-has 64.5.53.68 tell 64.5.53.6
22:26:10.692520 arp who-has 64.5.53.74 tell 64.5.53.6
22:26:10.692548 arp who-has 64.5.53.76 tell 64.5.53.6
22:26:10.692568 arp who-has 64.5.53.77 tell 64.5.53.6
22:26:10.692588 arp who-has 64.5.53.79 tell 64.5.53.6
22:26:10.692607 arp who-has 64.5.53.80 tell 64.5.53.6
22:26:10.692628 arp who-has 64.5.53.81 tell 64.5.53.6
22:26:10.692652 arp who-has 64.5.53.45 tell 64.5.53.11
22:26:10.692744 arp who-has 64.5.53.54 tell 64.5.53.11
22:26:10.692771 arp who-has 64.5.53.58 tell 64.5.53.11
22:26:10.692828 arp who-has 64.5.53.236 tell 64.5.53.11
22:26:10.692854 arp who-has 64.5.53.241 tell 64.5.53.11
22:26:10.694849 arp who-has 64.5.53.244 tell 64.5.53.11
22:26:10.694874 arp who-has 64.5.53.245 tell 64.5.53.11
22:26:10.694896 arp who-has 64.5.53.246 tell 64.5.53.11
22:26:10.694922 arp who-has 64.5.53.247 tell 64.5.53.11
22:26:10.694949 arp who-has 64.5.53.248 tell 64.5.53.11
22:26:10.694974 arp who-has 64.5.53.249 tell 64.5.53.11
22:26:10.694999 arp who-has 64.5.53.250 tell 64.5.53.11
22:26:10.695024 arp who-has 64.5.53.251 tell 64.5.53.11
22:26:10.695046 arp who-has 64.5.53.252 tell 64.5.53.11
22:26:10.695070 arp who-has 64.5.53.253 tell 64.5.53.11
22:26:10.695092 arp who-has 64.5.53.254 tell 64.5.53.11
22:26:10.881258 arp who-has 69.56.173.222 tell 64.5.53.11
22:26:10.893451 arp who-has 69.56.173.223 tell 64.5.53.11
22:26:10.893479 arp who-has 69.56.173.224 tell 64.5.53.11
22:26:10.893501 arp who-has 69.56.173.225 tell 64.5.53.11
22:26:10.893523 arp who-has 69.56.173.226 tell 64.5.53.11
22:26:10.893546 arp who-has 69.56.173.227 tell 64.5.53.11
22:26:10.893569 arp who-has 69.56.173.228 tell 64.5.53.11
22:26:10.893591 arp who-has 69.56.173.229 tell 64.5.53.11
22:26:10.893613 arp who-has 69.56.173.230 tell 64.5.53.11

22:26:10.893635 arp who-has 69.56.173.231 tell 64.5.53.11
22:26:10.893657 arp who-has 69.56.173.232 tell 64.5.53.11
22:26:10.893680 arp who-has 69.56.173.233 tell 64.5.53.11
22:26:10.955361 arp who-has 69.56.173.234 tell 64.5.53.11
22:26:10.955390 arp who-has 69.56.173.235 tell 64.5.53.11
22:26:10.955414 arp who-has 69.56.173.236 tell 64.5.53.11
22:26:10.955438 arp who-has 69.56.173.237 tell 64.5.53.11
22:26:10.955460 arp who-has 69.56.173.238 tell 64.5.53.11
22:26:10.955483 arp who-has 69.56.173.239 tell 64.5.53.11
22:26:10.955505 arp who-has 69.56.173.240 tell 64.5.53.11
22:26:10.955528 arp who-has 69.56.173.241 tell 64.5.53.11
22:26:10.955600 arp who-has 69.56.173.242 tell 64.5.53.11
22:26:10.955624 arp who-has 69.56.173.243 tell 64.5.53.11
22:26:10.955647 arp who-has 69.56.173.244 tell 64.5.53.11
22:26:10.957914 arp who-has 69.56.173.245 tell 64.5.53.11
22:26:10.957942 arp who-has 69.56.173.246 tell 64.5.53.11
22:26:10.957964 arp who-has 69.56.173.247 tell 64.5.53.11
22:26:10.957987 arp who-has 69.56.173.248 tell 64.5.53.11
22:26:10.958009 arp who-has 69.56.173.249 tell 64.5.53.11
22:26:10.958031 arp who-has 69.56.173.250 tell 64.5.53.11
22:26:10.958054 arp who-has 69.56.173.251 tell 64.5.53.11
22:26:10.958077 arp who-has 69.56.173.252 tell 64.5.53.11
22:26:10.958100 arp who-has 69.56.173.253 tell 64.5.53.11
22:26:10.958122 arp who-has 69.56.173.254 tell 64.5.53.11

I have omitted a single ARP reply during this sample which was outgoing from my Linode.

Unrelated: I'm still getting UDP broadcast traffic from someone's Linode. I'll refrain from posting the address here as I'm sure the relevant parties can determine that for themselves.

-Nate

I enabled UDP port 137 filters to stop all that crap.

I'm looking now at enabling more filters to control some of the broadcast traffic like the HSRP and ARP messages.

I also made some modifications to the network monitoring (which is used as an assertion that your Linode is up) -- Previously, every IP was monitoring by every host, so it was likely that you were seeing lots of ICMP traffic (and a few packets to port 80). This has been improved so that only the host your Linode resides on should perform the monitoring.

-Chris

I don't think it matters -- it's not making a complete TCP connection, only looking for a response. I would think 113 would be more alarming to admins/users, as it's commonly associated with IRC etc.


The default (zero?). With the fixes I've made (only one host will now monitor), I don't think there's any performance reason to increase the delay.


Ahh, that's my scare tactic to keep people from filtering my monitoring. A response from your IP is required or the monitoring will mark your IP down. If the other assertions fail (pid, process, etc) it will mark your Linode down, but under normal circumstances you won't have any problems.

-Chris

True. Just so long as apache doesn't get a regular jab in the ribs



Thanks for doing that, it should definitely help. If you'll indulge another suggestion, perhaps '-T Polite' would be a good option to include? If I understand the nmap man page correctly, the default is "as quickly as possible without over­loading the network or missing hosts/ports". I'm no nmap expert, but I thought it's somewhat adaptive in setting timeouts depending on the responsiveness of the system it is probing, so 'as quickly as possible' may not be desirable.



Strange, I don't know why someone would intentionally prevent their service provider from monitoring that they're actually providing the service I was only puzzled because the IP addresses sourcing the traffic were so different from my local IP address (though I should've just done a reverse-DNS lookup, as you suggested).

Could this sort of info be captured in a 'Configuring your Linode' page somewhere? This forum is still small enough to sift through to find the nuggets, but that won't last forever

Paul

I am blocking everything except specific ports I want open. Is that why my network stopped working the other day until I logged into the host and made a connection from the linode?

I guess I don't understand the consequences of my Linode's network being marked as down. What exactly does that mean? Do I get an e-mail notifiying me of the fact on the presumption that I would want to fix it? Is this a service of Linode.com that I didn't even realize you guys provide?