Security Incidents mailing list archives
Re: Strange ARP scan...
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Wed, 14 Mar 2001 11:30:54 -0700
On Tue, 13 Mar 2001, Chris Hobbs wrote:
A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my network with ARP requests this morning.
Just to be clear... this is your Linux box, or it's outside of your realm of responsibility? The ARP requests appeared to be
covering the entire 10.0.0.0/8 address space, and appeared, from my capture, to be organized. /24 ranges were scanned alternately in ascending and descending order. Here's a sample of the packets (from Etherpeek): 108 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.50 = ?
I don't know of any particularly useful reason to do ARP scanning by itself. However, if the attacker's subnet mask indicates that those machine are on the same subnet, then it has to ARP for them before it can do any further communication. Did you see any ARP replies? If not, then the section you caught doesn't have any machines at those IP addresses, and you'd just see the ARP requests. One it finds a machine, I suspect you'll see that it's trying to do some sort of port scan. So yes, I would assume that machine is compromised, and investigate as such. Is it, by chance, an unpatched Red Hat 6.0-7.0 machine? Ryan
Current thread:
- Strange ARP scan... Chris Hobbs (Mar 13)
- Re: Strange ARP scan... Ryan Russell (Mar 14)
- <Possible follow-ups>
- Re: Strange ARP scan... Justin Shore (Mar 14)