Code Red III - increased ARPing on shared segment broadband

[Chad Loder <cloder () acm org>]

I posted this to Bugtraq last night but it
got rejected. :P

Anyways, if cable modem users are seeing
drastically increased ARPing, the targeting
of the Code Red III variant should explain
it -- hitting non-existent addresses on your
subnet will cause the CMTS<->headend router to
ARP out to see who's got that address, you get
the picture.

At the very least, it's a good opportunity for
users to see how many modems your provider has
packed onto your segment. If they've packed too
many on there, you can be sure the CMTS router's
going to get seriously bogged down.

I have an automated program which sends the IP
addresses to the ARIS list *and* to my ISP's
security department (those IP's which fall under
their management) -- I wonder if ISP's are
considering just dropping all packets from
infected hosts, so when the customer comes to
them and complains, they say "Oh, you're infected,
reboot, install the patch, and we'll reconnect
you."  Seems that this would reduce the load
on the CMTS and would be faster than trying to
track down each customer individually.

 Chad Loder
 Rapid 7, Inc. - Next generation security products and services
 http://www.rapid7.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com