I occasionally see my DSL lights flicker briefly when there should be no
network traffic.  Here is tcpdump output from one such episode:

06:24:58.854518 arp who-has adsl-66-136-7-253.dsl.hstntx.swbell.net tell adsl-66-136-7-253.dsl.hstntx.swbell.net

This is puzzling.  66.136.7.253 is supposed to be an IP number assigned to
me (though I don't use it yet).  Is who-has for route discovery?  Why
should my subnet be asked by someone *outside* of my subnet (I assume) to
tell a machine *inside* my subnet who has it?  Or is this a request being
generated by NetBSD itself for some reason?  (OBVIOUSLY, I don't
understand ARP; a complete ARP tutorial probably isn't necessary, but
don't assume that I'm familiar with anything about ARP if trying to
usefully reply.  *grin*)


It may or may not be related, but I received the following at almost the
same time:

06:24:48.393568 cvg-65-27-249-157.cinci.rr.com.1026 > adsl-66-136-7-250.dsl.hstntx.swbell.net.netbios-ns: udp 50

..I can only guess that that's a hacker trying to probe my system; they
shouldn't get far since ~everything is turned off (and to the best of my
knowledge, I don't have anything to do with NetBIOS).  Nonetheless, the
relative concurrence with the above, odd-seeming (to me) "who-has" query
may suggest a relation between the two events.


I'm mostly curious as to the meaning of this.  I figure that NetBSD is
reasonably secure and I don't have any services enabled but ssh (and
lpr/lpd---but that's blocked with hosts.lpd so that clients have to come
from my LAN).  If this were a concerted attack, I'd probably see a lot
more activity over the DSL.


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu