[Dshield] Anyone seen
bjorn at thechemistrylab.com
Wed Feb 25 17:48:03 GMT 2004
Looks like Gaobot, I would double check to make sure they that windows is
fully patched and your a/v is fully updated, I suspect they really aren't up
Shouldn't ARP's be cached somewhat?
Taking a sniff at my ethernet traffic I see over a thousand ARP Requests per
minute, this to me sounds like something isn't configured correctly. It
seems the router keeps asking anew each time someone requests an IP. I know
that my machines do cache MAC Addresses, but why wouldn't the main switch
for a node cache the MAC addresses of all the machines it routes to?
It's especially bad when all these worms conduct massive IP Scans. Taking a
look at a random minute, I see 3-6 ARP Requests per IP address, many of them
less than a second apart. A cache timeout value of 1 minute would probably
reduce the ARP noise at least three-fold.
Is this a problem with the router not being configured correctly or is it
not feasible because of memory / processor limitations or is there some
other problem I'm not aware of?
Maybe someone can explain :)
::this is not a sig::
More information about the list