[Dshield] Unexpected ARP traffic on my internal network

Flood Randy Capt AFCA/TCAA randy.flood at scott.af.mil
Wed Oct 24 13:45:07 GMT 2001


If this is an external threat that is getting through your firewall,
then if you unplug your firewall's internet connection for two minutes,
you should expect this to stop.  Try that and see if it continues.


-----Original Message-----
From: Kevin Little [mailto:kevin.little2 at verizon.net]
Sent: Tuesday, October 23, 2001 12:56 PM
To: dshield at dshield.org
Subject: [Dshield] Unexpected ARP traffic on my internal network


I have an SMC Barricade firewall guarding my home network (connected via
Verizon cable modem), which includes a RH Linux server on which I'm
running tcpdump and seeing what appears to be spoofed ARP requests that
seem to make it through my firewall and reference IP addresses assigned
to DHCP, which neither of my local machines is using.

I wish I could come up with more info to report on this, but my firewall
doesnt log anything that correspond to the timing of what I see on Linux
tcpdump, where I see a steady 'heartbeat', where every 30 or 60 seconds,
I'll see...

Every 30-60 seconds, do..
  my router asks for ARP for unknown address.
  1 second wait.
  my router broadcasts bootp


For the attached tcpdump, 
my router = 192.168.1.254
my windows box = 192.168.1.103 (DHCP assigned)
my linux box = 192.168.1.2 (fixed)

possible intruders spoofed ips = 192.168.1.104, 192.168.1.106

I initially noticed the intruder using port 188, and I reduced the range
of available DHCP addresses, reset my firewall, and saw probes occuring
near the top of the range of whatever IPs I allocated to DHCP.  Either I
am dense and this is some normal part of DHCP protocol that I fail to
understand (like it verifies whether addresses in its assigned range are
in use... but why all night long at 1 minute intervals for the same
address and not the full DHCP range?), or its what it looks like and
someone is getting through my firewall and I don't have much of a log to
show for it.  Well, I have more detailed logs, I have logs showing these
ARP requests occuring all night long last night, at 1 minute intervals,
I just sent the short one to summarize the sequence.

Kevin Little




More information about the list mailing list