elainegrey (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
elainegrey) wrote2010-05-03 09:06 am
elainegrey) wrote2010-05-03 09:06 am
Entry tags:
(no subject)
Slow engagement with the world this morning. Had a burst of adrenaline: we continue to have irregular network slowdowns when ping times to our provider's DNS go from 14 ms to well over 2k ms. Our provider has suggested that perhaps we have someone using our wireless or we have a virus on one of our machines. So when ever this happens i go look at our router's logs and at the DHCP assignments. (Any machine on our network either needs a fixed IP or one assigned by DHCP. I realize a clever wireless access thief could assign an IP in the range of our private network addresses and the routing would work. I guess i need to scan our network for all MAC addresses if i really want to look for a bandwidth thief.)
(Distraction as i realize there's another layer i need to go through to be sure of what's going on at home.)
Anyhow -- i looked at the router logs and saw the machine to we have a web accessible port routing receiving an occasional request *and* sending out! OMG that's the machine someone's using from outside, somehow! Klaxons go off in my brain, i kill the port routing, panic, panic. Then i start showing Christine what's going on, and slowing down i realize -- wait, does that machine have Skype on it? It does? Oh, all this traffic is explained. And it's looking up RSS feeds, that's why all this is happening. And the external accesses are from crawlers... Nevermind. Not a problem. And i turn the port routing back on. Exhale.
Meanwhile, there have been mystery devices on the DHCP list. Sunday was "[Bad unicode] 00-17-f2-d6-9d-64", today "[More bad unicode] 00-17-f2-9c-8f-9b" (the blogging interface refused to accept the the euro and C-cedilla). The vendor part of the MAC address -- the unique identifier of the ethernet or wireless access port hardware -- of both these devices is assigned to Apple. So, given our absurd ratio of apple devices to humans, it's possible one of the devices isn't declaring its identity correctly.
I've got a port mapper installed (ooh, cool scans) so next time the mystery machine is on DHCP i can scan it.
How do i use NMAP to scan the whole network?
And maybe i should go to work?
(Distraction as i realize there's another layer i need to go through to be sure of what's going on at home.)
Anyhow -- i looked at the router logs and saw the machine to we have a web accessible port routing receiving an occasional request *and* sending out! OMG that's the machine someone's using from outside, somehow! Klaxons go off in my brain, i kill the port routing, panic, panic. Then i start showing Christine what's going on, and slowing down i realize -- wait, does that machine have Skype on it? It does? Oh, all this traffic is explained. And it's looking up RSS feeds, that's why all this is happening. And the external accesses are from crawlers... Nevermind. Not a problem. And i turn the port routing back on. Exhale.
Meanwhile, there have been mystery devices on the DHCP list. Sunday was "[Bad unicode] 00-17-f2-d6-9d-64", today "[More bad unicode] 00-17-f2-9c-8f-9b" (the blogging interface refused to accept the the euro and C-cedilla). The vendor part of the MAC address -- the unique identifier of the ethernet or wireless access port hardware -- of both these devices is assigned to Apple. So, given our absurd ratio of apple devices to humans, it's possible one of the devices isn't declaring its identity correctly.
I've got a port mapper installed (ooh, cool scans) so next time the mystery machine is on DHCP i can scan it.
How do i use NMAP to scan the whole network?
And maybe i should go to work?