RE: Code Red, ARP and YOU!!

[Chad Loder <cloder () acm org>]

The ARPs are getting sent out directly from your
router(s), which is why you see them coming from
only those one or two IP addresses.

It's a result of Code Red II (or III or whatever the hell
they decided to call it) hitting lots of non-existent
addresses on your subnet. Each time you try to hit
a non-existent address, it causes the router to
ARP out and say "Hey, anyone have this address?"

I posted something about this to incidents () securityfocus com
over the weekend, so you might want to check the archives.
I'd give you the exact URL but the securityfocus.com
website seems to be down temporarily. The title of
the email was

"Code Red III - increased ARPing on shared segment broadband"

Cheers,
        Chad Loder
        Rapid 7, Inc.
        http://www.rapid7.com

At Wednesday 8/8/2001 12:28 PM -0500, you wrote:

> -----Original Message-----
> From: Mike Brown [mailto:mikebrown () cfl rr com]
> Sent: Sunday, August 05, 2001 11:29 PM
> Cc: recipient list not shown: ;
> Subject: Code Red, ARP and YOU!!
>
>
>
> This may be obvious to many, but it stumped me for 5 or 10 mins, so
> allow me to share.
>      Today after I got home from work I looked at my cable modem and
> it's data light was blinking like there was no tomorrow. My first
> thought, OMG I finally got hacked! And I'm part of a DDoS attack, Wohoo
> for me! "About time" I thought, now the fun part. How did they do it?
> Well sadly it wasn't to be. After Much looking I found that no programs
> where running that shouldn't and that there where no connection that
> didn't belong. So I fired up Ethereal and had it listen for 17 seconds.
> In those 17 seconds I recorded 474 packets coming and going from my pc.
> The fun part is 451 of them are ARP broadcasts. And all of them are
> coming from just 2 IP's.
>      My theory is that because on a cable modem network no one ever
> needs to contact any other host besides the router none of the hosts
> know the other IP's thus the flood of ARP requests.
>      Now the useful part. There was some talk about the moral
> implications of scanning others servers, especially from the ISP's side.
> They don't want to piss anyone off but they don't want to host the worm
> of the day. Well the really passive way to detect the Code Red worm of
> any version is to look for the exponential growth in ARP traffic on your
> network.
>      Now on my network the two offending IP's are 65.33.140.1  and
> 24.27.216.1  judging from the last octet they could be routers but the
> basic idea holds true, just look on the other side of the routers.
>      Now if I've missed something incredibly obvious (besides my
> spelling and mind) please pardon me, Mike the lowly Tier one tech
> support guy. But I think I've got something here. Is there any other
> reason to see dozens of ARP requests a second coming from the same host?
>
> - Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com