[Dshield] Anyone seen

Jon R. Kibler Jon.Kibler at aset.com
Wed Feb 25 16:59:46 GMT 2004


Jeff Kell wrote:
> 
> Jon R. Kibler wrote:
> 
> >> I started seeing ARP broadcast (from various IPs on my network)
> >> last week using ethereal.
> 
> > Also, the fact that you are seeing a lot of ARP packets is a MAJOR
> > RED FLAG of another problem -- you are using shared Ethernet -- which
> > is a MAJOR security risk. You really should replace all of your hubs
> > with switches -- or, at least in the future, only buy switches.
> 
> Not so fast.  Initial ARPs are broadcast (ff-ff-ff-ff-ff-ff) and will go
> to every host, even on a switch.  A switch or router may proxy a reply,
> but it is perfectly normal to hear broadcast ARPs.
> 
> Now if you receive *unicast* ARPs, or unsolicited unicast ARP replies,
> somebody on your segment is probably running ettercap or dsniff.
> 
> Jeff

Okay, you're right... I am just accustom to configuring switches to proxy all ARPs and forgot that some would let ARPs pass. I stand corrected.

However, I leave stand my statement that you should consider replacing all hubs with switches.


Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list