[Dshield] Anyone seen

Bjorn Stromberg bjorn at thechemistrylab.com
Wed Feb 25 17:48:03 GMT 2004


Original poster:

Looks like Gaobot, I would double check to make sure they that windows is
fully patched and your a/v is fully updated, I suspect they really aren't up
to date.

THREAD HIJACK:
Shouldn't ARP's be cached somewhat?

Taking a sniff at my ethernet traffic I see over a thousand ARP Requests per
minute, this to me sounds like something isn't configured correctly. It
seems the router keeps asking anew each time someone requests an IP. I know
that my machines do cache MAC Addresses, but why wouldn't the main switch
for a node cache the MAC addresses of all the machines it routes to?

It's especially bad when all these worms conduct massive IP Scans. Taking a
look at a random minute, I see 3-6 ARP Requests per IP address, many of them
less than a second apart. A cache timeout value of 1 minute would probably
reduce the ARP noise at least three-fold.

Is this a problem with the router not being configured correctly or is it
not feasible because of memory / processor limitations or is there some
other problem I'm not aware of?

Maybe someone can explain :)

Bjorn Stromberg
::this is not a sig::




More information about the list mailing list