Security Incidents mailing list archives
Strange ARP scan...
From: Chris Hobbs <chobbs () SILVERVALLEY K12 CA US>
Date: Tue, 13 Mar 2001 10:42:28 -0800
A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my network with ARP requests this morning. The ARP requests appeared to be covering the entire 10.0.0.0/8 address space, and appeared, from my capture, to be organized. /24 ranges were scanned alternately in ascending and descending order. Here's a sample of the packets (from Etherpeek): 108 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.50 = ? 109 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.51 = ? 110 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.52 = ? 111 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.53 = ? 112 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.54 = ? 113 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.55 = ? 114 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.56 = ? 115 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.128 = ? 116 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.127 = ? 117 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.126 = ? 118 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.125 = ? 119 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.124 = ? 120 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.123 = ? 121 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.122 = ? I've not had a chance to scour the box yet for incriminating evidence - I'm hoping something could have just broke to cause this, but that's not what my gut is telling me :/ A panicked reboot stopped the immediate problem. Any suggestions would be appreciated. -- Chris Hobbs Silver Valley Unified School District Head geek: Technology Services Coordinator webmaster: http://www.silvervalley.k12.ca.us/chobbs/ postmaster: chobbs () silvervalley k12 ca us
Current thread:
- Strange ARP scan... Chris Hobbs (Mar 13)
- Re: Strange ARP scan... Ryan Russell (Mar 14)
- <Possible follow-ups>
- Re: Strange ARP scan... Justin Shore (Mar 14)