Sudden flood of ARP messages?

• Previous message: John Oliver: "Re: Sudden activity on smtp port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Mark <mw@lanfear.com>
Date: Mon, 16 Dec 2002 19:42:08 GMT

Hi!

   We've got a small office network here powered off a cable modem, and all
of a sudden, about four weeks ago, we started seeing a FLOOD of messages
over the broadband pipe along the following lines:

11:19:19.899826 xxx-yyy-zzz-aaa.client.ispdomain.com.1561 >
ns1.ispdomain.com.domain: 12223+ PTR? 1.32.41.24.in-addr.arpa. (41)
11:19:19.915665 arp who-has xxx-yyy-193-67.client.ispdomain.com tell
xxx-yyy-193-1.client.ispdomain.com
11:19:19.937462 ns1.ispdomain.com.domain >
xxx-yyy-zzz-aaa.client.ispdomain.com.1561: 12223* 1/3/3 (219) (DF)
11:19:19.938041 xxx-yyy-zzz-aaa.client.ispdomain.com.1562 >
ns1.ispdomain.com.domain: 12224+ PTR? 19.192.89.10.in-addr.arpa. (43)
11:19:19.979722 arp who-has xxx-yyy-2-214.client.ispdomain.com tell
xxx-yyy-0-1.client.ispdomain.com
11:19:19.993183 arp who-has 12-242-137-39.client.ispdomain.com tell
12-242-137-1.client.ispdomain.com
11:19:20.052911 arp who-has 10.111.149.5 tell 10.111.148.1
11:19:20.073396 ns1.ispdomain.com.domain >
xxx-yyy-zzz-aaa.client.ispdomain.com.1562: 12224 NXDomain* 0/1/0 (111)
(DF)
11:19:20.073930 xxx-yyy-zzz-aaa.client.ispdomain.com.1563 >
ns1.ispdomain.com.domain: 12225+ PTR? 1.192.89.10.in-addr.arpa. (42)
11:19:20.109727 ns1.ispdomain.com.domain >
xxx-yyy-zzz-aaa.client.ispdomain.com.1563: 12225 NXDomain* 0/1/0 (110)
(DF)
11:19:20.110268 xxx-yyy-zzz-aaa.client.ispdomain.com.1564 >
ns1.ispdomain.com.domain: 12226+ PTR? 36.13.yyy.xxx.in-addr.arpa. (43)
11:19:20.137672 ns1.ispdomain.com.domain >
xxx-yyy-zzz-aaa.client.ispdomain.com.1564: 12226* 1/2/2 (154) (DF)
11:19:20.138312 xxx-yyy-zzz-aaa.client.ispdomain.com.1565 >
ns1.ispdomain.com.domain: 12227+ PTR? 87.113.yyy.xxx.in-addr.arpa. (44)
11:19:20.160730 arp who-has xxx-yyy-2-122.client.ispdomain.com tell
xxx-yyy-0-1.client.ispdomain.com
11:19:20.167399 ns1.ispdomain.com.domain >
xxx-yyy-zzz-aaa.client.ispdomain.com.1565: 12227* 1/2/2 (156) (DF)
11:19:20.202656 arp who-has xxx-yyy-113-54.client.ispdomain.com tell
xxx-yyy-112-1.client.ispdomain.com
11:19:20.345410 arp who-has xxx-yyy-8-199.client.ispdomain.com tell
xxx-yyy-8-1.client.ispdomain.com
11:19:20.397293 arp who-has xxx-yyy-9-143.client.ispdomain.com tell
xxx-yyy-8-1.client.ispdomain.com
11:19:20.416626 arp who-has xxx-yyy-113-191.client.ispdomain.com tell
xxx-yyy-112-1.client.ispdomain.com
11:19:20.502566 arp who-has xxx-yyy-15-52.client.ispdomain.com tell
xxx-yyy-12-1.client.ispdomain.com
11:19:20.517250 arp who-has xxx-yyy-10-170.client.ispdomain.com tell
xxx-yyy-8-1.client.ispdomain.com
11:19:20.563100 arp who-has xxx-yyy-117-62.client.ispdomain.com tell
xxx-yyy-116-1.client.ispdomain.com
11:19:20.629353 arp who-has xxx-yyy-13-19.client.ispdomain.com tell
xxx-yyy-12-1.client.ispdomain.com
11:19:20.683987 arp who-has xxx-yyy-3-85.client.ispdomain.com tell
xxx-yyy-0-1.client.ispdomain.com
11:19:20.705031

   There are literally dozens of these a second. Any idea what's up? Is
this the ISP installing new wonky tools, the ISP not knowing what it's
doing, or likely some hackers fiddling around looking for things to play
with?

   Thanks,
   Mark.

• Next message: Michal Jaegermann: "Re: Sudden activity on smtp port"
• Previous message: John Oliver: "Re: Sudden activity on smtp port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]