[Dshield] Anyone seen

Daugherty Bryan daugherty at uamont.edu
Wed Feb 25 21:01:27 GMT 2004

I checked each pc in question and they were in fact up to date.  I have been
successful in using SUS to push SPs and critical updates.  My AV console
allows me to manually push AV def's to those few pc's that might miss an auto
update.  I check for OS updates and AV updates several times a day.

I do see some similarities to Gaobot.  However, I would like to think my
virus engine would detect this by now.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of
Bjorn Stromberg
Sent: Wednesday, February 25, 2004 11:48 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Anyone seen

Original poster:

Looks like Gaobot, I would double check to make sure they that windows is
fully patched and your a/v is fully updated, I suspect they really aren't up
to date.

Shouldn't ARP's be cached somewhat?

Taking a sniff at my ethernet traffic I see over a thousand ARP Requests per
minute, this to me sounds like something isn't configured correctly. It
seems the router keeps asking anew each time someone requests an IP. I know
that my machines do cache MAC Addresses, but why wouldn't the main switch
for a node cache the MAC addresses of all the machines it routes to?

It's especially bad when all these worms conduct massive IP Scans. Taking a
look at a random minute, I see 3-6 ARP Requests per IP address, many of them
less than a second apart. A cache timeout value of 1 minute would probably
reduce the ARP noise at least three-fold.

Is this a problem with the router not being configured correctly or is it
not feasible because of memory / processor limitations or is there some
other problem I'm not aware of?

Maybe someone can explain :)

Bjorn Stromberg
::this is not a sig::

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list