Re: ARP broadcasts

From: ___cliff rayman___ (cliff@genwax.com)
Date: 08/07/01


Message-ID: <3B7032CF.5C9AAE2E@spamless.genwax.com>
Date: Tue, 07 Aug 2001 11:26:23 -0700
From: ___cliff rayman___ <cliff@genwax.com>
To: Michael McDonnell <lists@winterstorm.org>, Focus IDS <FOCUS-IDS@securityfocus.com>
Subject: Re: ARP broadcasts

i think this is actually roadrunners doing. not sure
what they are tryng to do, but i contacted them about
the arp flood - thought it was a misconfigured server - and
they said they were doing something to stamp out viruses.

this is not a natural phenomenem. if you analyze the dump,
you will see that the same addresses are repeated over and over
again within a very short period of time. i think their servers are
purposefully emitting this arp traffic in a steady stream.

Michael McDonnell wrote:

> Subba Rao wrote:
>
> > My tcpdump logs show lots of ARP requests. Is this ARP broadcast storm only a
> > natural growth of the ISPs network? Apart from using ARP packets to spoof MAC
> > addresses, is there anything more sinister that ARP packets can do?
>
> I've noticed this too on my cable modem. A few others have reported it. This is
> most likely a side-effect of code-red scans. Codered is scanning random IP
> addresses and a lot of those are cable modem addresses. When codered wants to
> connect to an UNUSED IP, a router for the cable modem provider will find that there
> is no entry in its arp table for that IP and will sent out a "who-has" query to the
> entire cable modem neighborhood.
>
> Somone on the "incidents" list point out that this is a great way to find out how
> many people your ISP has put in your cable modem "neighborhood". Just watch all the
> flood of arps that codered scans are generating.
>
> I've found I'm getting a codered scan against my firewall (connected to a cable
> modem) every 30 seconds. Since late last week the amount of arp traffic has
> increased dramatically... a steady flood of arp "who has" requests is coming
> non-stop
>
> > ----------------------
> > 07:20:14.124152 arp who-has 24.36.122.168 tell 24.36.122.1
> > 07:20:14.240863 arp who-has 24.182.96.91 tell 24.182.96.1
> > 07:20:14.337166 arp who-has 24.36.122.143 tell 24.36.122.1
> > 07:20:14.468376 arp who-has 24.36.122.38 tell 24.36.122.1
> > 07:20:14.688178 arp who-has 65.10.193.98 tell 65.10.193.1
> > 07:20:15.118119 arp who-has 24.253.24.253 tell 24.253.24.129
> > 07:20:15.204454 arp who-has 24.182.96.105 tell 24.182.96.1
> > 07:20:15.851843 arp who-has 24.36.122.212 tell 24.36.122.1
> > 07:20:15.981014 arp who-has 24.36.122.246 tell 24.36.122.1
> > 07:20:16.119834 arp who-has 24.15.169.116 tell 24.15.169.1
> > 07:20:16.208952 arp who-has 24.36.122.126 tell 24.36.122.1
> > 07:20:16.317184 arp who-has 65.10.193.87 tell 65.10.193.1
> > 07:20:16.360395 arp who-has 24.182.96.115 tell 24.182.96.1
> > 07:20:16.391279 arp who-has 24.182.96.23 tell 24.182.96.1
> > 07:20:16.418775 arp who-has 24.15.169.65 tell 24.15.169.1
> > 07:20:16.429094 arp who-has 65.10.193.44 tell 65.10.193.1
> > 07:20:16.449037 arp who-has 24.15.169.120 tell 24.15.169.1
> > 07:20:17.124341 arp who-has 24.36.122.168 tell 24.36.122.1
> > 07:20:17.181666 arp who-has 24.253.24.153 tell 24.253.24.129
> > 07:20:17.233632 arp who-has 24.182.96.92 tell 24.182.96.1
> > 07:20:17.308187 arp who-has 24.182.96.116 tell 24.182.96.1
> > 07:20:17.420830 arp who-has 65.10.193.119 tell 65.10.193.1
> > 07:20:17.627099 arp who-has 65.10.193.74 tell 65.10.193.1
> > ----------------------
> >
> > My modem lights are too active and I thought it was some traffic coming in or
> > going out. But it is only ARP. How could ARP packets help with the investigation
> > of a security incident?
> >
> > Thank you in advance.
> > --
> >
> > Subba Rao
> > subba9@home.com
> > http://members.home.net/subba9/
> >
> > GPG public key ID 27FC9217
> > Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/



Relevant Pages

  • Re: Strange traffic ....
    ... This was a symptom of some common collateral damage from CodeRed; ... you're seeing maybe the same sort of deal for Nimda (although CodeRed ... some cable modem systems tend to think that ... These ARP storms apparently made some cable systems in the US virtually ...
    (Incidents)
  • Re: event id 1003 HELP !!!!!!!!!!!!!!!!!!!!!!!!!!
    ... I don't work with a router, so I don't think I need to clean up my arp ... > Have you tried to clear your arp cache? ... >>1 NIC is for the cable modem, where I have a fixed ip. ... it disconnects at every possible ...
    (microsoft.public.win2000.networking)
  • Re: ARP broadcasts
    ... Subba Rao wrote: ... > My tcpdump logs show lots of ARP requests. ... I've noticed this too on my cable modem. ...
    (Focus-IDS)
  • Re: MAC Address for the Cable Modem
    ... >> Can some one help me in finding the MAC Address for the Cable Modem. ... So,to get the CM's MAC Address a differnet mechanism will need to be used. ... Address will then be in the ARP table. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Why so much ARP traffic?
    ... Is there anyway to set the arp requests so they don't check every pc possible address on the subnet? ... just put away the network sniffer and forget about it. ... Ok I was having a problem thats why I was doing the sniffing in the first place sometimes ... thing out of the ordinary was the huge amount of arp broadcasts. ...
    (microsoft.public.win2000.networking)