[unisog] arp broadcast traffic flooding
fooler at skyinet.net
Thu Sep 4 04:34:43 GMT 2003
----- Original Message -----
From: "Jordan Wiens" <jwiens at nersp.nerdc.ufl.edu>
To: "fooler" <fooler at skyinet.net>
Cc: <unisog at sans.org>
Sent: Thursday, September 04, 2003 11:33 AM
Subject: Re: [unisog] arp broadcast traffic flooding
> Most likely the result of many infected nachi hosts. It does lots and
> lots of ping sweeps continuously. Shutting it off temporarily won't stop
> it as it will keep going. We've had some fun and interesting arp storms
> and icmp flooding on various parts of campus as a result.
i see.. but what i did, i temporarily block all icmp packets and all udp
ports and do a tcpdump -n arp... but still, the arp broadcast traffic is
still there :-<
> You might have to look around to find the source of the ICMP packets that
> are causing the router to make the arp requests, but I can almost promise
> that you'll find them, and they'll be 92 bytes long.
> Jordan Wiens, CISSP
> UF Network Incident Response Team
> On Thu, 4 Sep 2003, fooler wrote:
> > hi all,
> > i have seen lately that there is a rampant arp broadcast traffic
flooding on my multiple networks in different locations... i tried to block
all kinds of icmp and all udp ports temporarily since this is the most
widely used for scanning a network... a couple of minutes blocking it
temporarily, the arp broadcast traffic is still there flooding it... i didnt
include tcp blocking because i dont think the rate of arp broadcast is fast
enough for a tcp transaction to do that... i tried to tcpdump and enabled
log_in_vain on freebsd to see if there is someone trying to port scan within
our network, unfortunately there is none...what i noticed is that, the
router is arping a lots of unlive ip addresses within that segment block..
for example, on an a.b.c.0/255.255.255.0 segment and there are only three
live ip addressses (eg. .1, .2 and .3), the router is arping from .4 to .254
randomly... the rate of arping of unlive ip addresses is 1 to 2 arp(s) per
second (tcpdump -n arp)...
> > what do you think of this guys? is this part of scanning? bugs on
the cisco router IOS? or the IOS is infected by a unknown exploitation?
> > my IOS version is 12.1(19)...
> > fooler.
More information about the unisog