[Dshield] Unexpected ARP traffic on my internal network

Kevin Little kevin.little2 at verizon.net
Tue Oct 23 17:55:55 GMT 2001


I have an SMC Barricade firewall guarding my home network (connected via
Verizon cable modem), which includes a RH Linux server on which I'm
running tcpdump and seeing what appears to be spoofed ARP requests that
seem to make it through my firewall and reference IP addresses assigned
to DHCP, which neither of my local machines is using.

I wish I could come up with more info to report on this, but my firewall
doesnt log anything that correspond to the timing of what I see on Linux
tcpdump, where I see a steady 'heartbeat', where every 30 or 60 seconds,
I'll see...

Every 30-60 seconds, do..
  my router asks for ARP for unknown address.
  1 second wait.
  my router broadcasts bootp


For the attached tcpdump, 
my router = 192.168.1.254
my windows box = 192.168.1.103 (DHCP assigned)
my linux box = 192.168.1.2 (fixed)

possible intruders spoofed ips = 192.168.1.104, 192.168.1.106

I initially noticed the intruder using port 188, and I reduced the range
of available DHCP addresses, reset my firewall, and saw probes occuring
near the top of the range of whatever IPs I allocated to DHCP.  Either I
am dense and this is some normal part of DHCP protocol that I fail to
understand (like it verifies whether addresses in its assigned range are
in use... but why all night long at 1 minute intervals for the same
address and not the full DHCP range?), or its what it looks like and
someone is getting through my firewall and I don't have much of a log to
show for it.  Well, I have more detailed logs, I have logs showing these
ARP requests occuring all night long last night, at 1 minute intervals,
I just sent the short one to summarize the sequence.

Kevin Little
-------------- next part --------------
10:31:38.850000 192.168.1.254.67 > 255.255.255.255.68: xid:0x55607563 Y:192.168.1.106 S:192.168.1.254 [|bootp] (ttl 64, id 74)
			 4500 014d 004a 0000 4011 b6b0 c0a8 01fe
			 ffff ffff 0043 0044 0139 7ddf 0201 0600
			 5560 7563 0000 0000 0000 0000 c0a8 016a
			 c0a8 01fe 0000
10:31:41.190000 arp who-has 192.168.1.106 tell 192.168.1.254
			 0001 0800 0604 0001 0050 1800 0ffe c0a8
			 01fe 0000 0000 0000 c0a8 016a 0000 0000
			 0000 0000 0000 0000 0000 0000 0000
10:31:42.150000 192.168.1.254.67 > 255.255.255.255.68: xid:0xb939f8 Y:192.168.1.106 S:192.168.1.254 [|bootp] (ttl 64, id 75)
			 4500 014d 004b 0000 4011 b6af c0a8 01fe
			 ffff ffff 0043 0044 0139 9b9d 0201 0600
			 00b9 39f8 0000 0000 0000 0000 c0a8 016a
			 c0a8 01fe 0000
10:32:07.170000 arp who-has 192.168.1.104 tell 192.168.1.254
			 0001 0800 0604 0001 0050 1800 0ffe c0a8
			 01fe 0000 0000 0000 c0a8 0168 f20c 22dc
			 5010 4318 7b85 0000 76ed d5d9 8c52
10:32:08.150000 192.168.1.254.67 > 255.255.255.255.68: xid:0xc652ca52 Y:192.168.1.104 S:192.168.1.254 [|bootp] (ttl 64, id 76)
			 4500 014d 004c 0000 4011 b6ae c0a8 01fe
			 ffff ffff 0043 0044 0139 a098 0201 0600
			 c652 ca52 0000 0000 0000 0000 c0a8 0168
			 c0a8 01fe 0000
10:32:13.170000 arp who-has 192.168.1.104 tell 192.168.1.254
			 0001 0800 0604 0001 0050 1800 0ffe c0a8
			 01fe 0000 0000 0000 c0a8 0168 6ee9 d8b0
			 5010 244a e0c3 0000 c4f6 de53 6207
10:32:14.150000 192.168.1.254.67 > 255.255.255.255.68: xid:0xc652ca52 Y:192.168.1.104 S:192.168.1.254 [|bootp] (ttl 64, id 77)
			 4500 014d 004d 0000 4011 b6ad c0a8 01fe
			 ffff ffff 0043 0044 0139 a098 0201 0600
			 c652 ca52 0000 0000 0000 0000 c0a8 0168
			 c0a8 01fe 0000
10:32:19.280000 arp who-has 192.168.1.104 tell 192.168.1.254
			 0001 0800 0604 0001 0050 1800 0ffe c0a8
			 01fe 0000 0000 0000 c0a8 0168 0000 0000
			 0000 0000 0000 0000 0000 0000 0000
10:32:20.260000 192.168.1.254.67 > 255.255.255.255.68: xid:0xc652ca52 Y:192.168.1.104 S:192.168.1.254 [|bootp] (ttl 64, id 78)
			 4500 014d 004e 0000 4011 b6ac c0a8 01fe
			 ffff ffff 0043 0044 0139 a098 0201 0600
			 c652 ca52 0000 0000 0000 0000 c0a8 0168
			 c0a8 01fe 0000
10:32:25.290000 arp who-has 192.168.1.104 tell 192.168.1.254
			 0001 0800 0604 0001 0050 1800 0ffe c0a8
			 01fe 0000 0000 0000 c0a8 0168 2020 2020
			 2020 2020 2020 2020 2020 2020 2020
10:32:26.260000 192.168.1.254.67 > 255.255.255.255.68: xid:0xc652ca52 Y:192.168.1.104 S:192.168.1.254 [|bootp] (ttl 64, id 79)
			 4500 014d 004f 0000 4011 b6ab c0a8 01fe
			 ffff ffff 0043 0044 0139 a098 0201 0600
			 c652 ca52 0000 0000 0000 0000 c0a8 0168
			 c0a8 01fe 0000


More information about the list mailing list