Security Incidents mailing list archives
Code Red III - increased ARPing on shared segment broadband
From: Chad Loder <cloder () acm org>
Date: Sun, 05 Aug 2001 12:46:32 -0700
I posted this to Bugtraq last night but it got rejected. :P Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTS<->headend router to ARP out to see who's got that address, you get the picture. At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down. I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually. Chad Loder Rapid 7, Inc. - Next generation security products and services http://www.rapid7.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red III - increased ARPing on shared segment broadband Chad Loder (Aug 05)