Code Red, ARP and YOU!!

From: Mike Brown (mikebrown@cfl.rr.com)
Date: 08/06/01 

Message-ID: <3B6E1D1A.DFE3B29E@cfl.rr.com>
Date: Mon, 06 Aug 2001 00:29:14 -0400
From: Mike Brown <mikebrown@cfl.rr.com>
Subject: Code Red, ARP and YOU!!

This may be obvious to many, but it stumped me for 5 or 10 mins, so
allow me to share.
     Today after I got home from work I looked at my cable modem and
it’s data light was blinking like there was no tomorrow. My first
thought, OMG I finally got hacked! And I’m part of a DDoS attack, Wohoo
for me! “About time” I thought, now the fun part. How did they do it?
Well sadly it wasn’t to be. After Much looking I found that no programs
where running that shouldn’t and that there where no connection that
didn’t belong. So I fired up Ethereal and had it listen for 17 seconds.
In those 17 seconds I recorded 474 packets coming and going from my pc.
The fun part is 451 of them are ARP broadcasts. And all of them are
coming from just 2 IP’s.
     My theory is that because on a cable modem network no one ever
needs to contact any other host besides the router none of the hosts
know the other IP’s thus the flood of ARP requests.
     Now the useful part. There was some talk about the moral
implications of scanning others servers, especially from the ISP’s side.
They don’t want to piss anyone off but they don’t want to host the worm
of the day. Well the really passive way to detect the Code Red worm of
any version is to look for the exponential growth in ARP traffic on your
network.
     Now on my network the two offending IP’s are 65.33.140.1 and
24.27.216.1 judging from the last octet they could be routers but the
basic idea holds true, just look on the other side of the routers.
     Now if I’ve missed something incredibly obvious (besides my
spelling and mind) please pardon me, Mike the lowly Tier one tech
support guy. But I think I’ve got something here. Is there any other
reason to see dozens of ARP requests a second coming from the same host?

- Mike

Relevant Pages

  • Re: Question about UdpClient
    ... it is my router gateway. ... Or use a network sniffing utility like Ethereal to watch what happens on the network in each case, in case you think it's actually sending some data. ... If this is indeed what it is doing, then wen you use an existing host, it will send out the ARP request and it should get a quick response OR -- and far more likely since you indicated it's your router/gateway -- is that it already has the IP -> MAC mapping stored in the ARP cache. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: mac to ip address tools
    ... Say host A on your net is trying to communicate with host B. Host A ... needs to know the MAC address for host B (or the MAC address for the ... ARP replies are no good for you - those are ... About 100 machines using the same MAC address: ...
    (Pen-Test)
  • Re: [2.4 PATCH] bugfix: ARP respond on all devices
    ... >ARP is designed to find the next hop on a LAN. ... If the host has an IP ... >to have a default gateway configured. ... >would anyone know where the packet came from since the network is not ...
    (Linux-Kernel)
  • RE: Using ARP to map a network
    ... destination IP hosts are on the same L2, and by definition, L3 network. ... host ARP table on NET X should only show entries for those machines on its ... same subnet the host had conversations with. ... Cisco's recommendation (from a security point of view) is to disable proxy ...
    (Pen-Test)
  • Re: traffic analysis
    ... "The server is on a /20-network, and this leads to high amounts of ... 140MB a day sounds a lot to me, and your host should not contribute a lot to this kind of "background traffic": ... ARP packets are sent on the local network only, ARP is used to maintain the arp table which matches hardware addresses and ip addresses. ... If your host's firewall does not drop packets to closed ports then it will send a response packet. ...
    (freebsd-questions)