[Dshield] Unexpected ARP traffic on my internal network

Pieter-Bas IJdens pbijdens at emea.mi4.org.uk
Wed Oct 24 11:39:35 GMT 2001


Hi Kevin,

Why not just configure your firewall machine to drop any packet that arrives
on the external interface and appears to have an internal address. There is
no reason why these packets should arrive at the external interface of the
firewall anyway, and it solves your problem of the spoofed packets.

Also, if you worry about kiddies, you may consider simply dropping all ICMP
packets. That way your host appears down for the scanners [the number of
attacks on my home network decreased rapidly after I decided to do this].

Anout the heartbeat packets, I have no clue unfortunately. If you are
interested in analysing your dump traces and learning what's normal, maybe
you should read http://www.securityfocus.com/infocus/1221 <Studying Normal
Network Traffic, Part *>.

  Pieter-Bas


----- Original Message -----
From: "Kevin Little" <kevin.little2 at verizon.net>
To: <dshield at dshield.org>
Sent: Tuesday, 23 October, 2001 19:55
Subject: [Dshield] Unexpected ARP traffic on my internal network


> I have an SMC Barricade firewall guarding my home network (connected via
> Verizon cable modem), which includes a RH Linux server on which I'm
> running tcpdump and seeing what appears to be spoofed ARP requests that
> seem to make it through my firewall and reference IP addresses assigned
> to DHCP, which neither of my local machines is using.
>
> I wish I could come up with more info to report on this, but my firewall
> doesnt log anything that correspond to the timing of what I see on Linux
> tcpdump, where I see a steady 'heartbeat', where every 30 or 60 seconds,
> I'll see...
>
> Every 30-60 seconds, do..
>   my router asks for ARP for unknown address.
>   1 second wait.
>   my router broadcasts bootp
>
>
> For the attached tcpdump,
> my router = 192.168.1.254
> my windows box = 192.168.1.103 (DHCP assigned)
> my linux box = 192.168.1.2 (fixed)
>
> possible intruders spoofed ips = 192.168.1.104, 192.168.1.106
>
> I initially noticed the intruder using port 188, and I reduced the range
> of available DHCP addresses, reset my firewall, and saw probes occuring
> near the top of the range of whatever IPs I allocated to DHCP.  Either I
> am dense and this is some normal part of DHCP protocol that I fail to
> understand (like it verifies whether addresses in its assigned range are
> in use... but why all night long at 1 minute intervals for the same
> address and not the full DHCP range?), or its what it looks like and
> someone is getting through my firewall and I don't have much of a log to
> show for it.  Well, I have more detailed logs, I have logs showing these
> ARP requests occuring all night long last night, at 1 minute intervals,
> I just sent the short one to summarize the sequence.
>
> Kevin Little






More information about the list mailing list