Security Incidents mailing list archives
RE: A bit strange ARP queries
From: "Koike, Rafael Marcelino" <rafael.koike () siemens com>
Date: Wed, 21 Dec 2005 18:22:49 -0200
Where this is happening? LAN? The IP who is requesting the arp's is know by you? What can be happing is a machine that is trying to flood the MAC table of the local switch and making the switch work like a HUB, then the attacker can sniffer the network and get the information that they want. This can be a defective network card. (Less probable) -----Original Message----- From: Eygene A. Ryabinkin [mailto:rea () rea mbslab kiae ru] Sent: quinta-feira, 15 de dezembro de 2005 13:06 To: incidents () securityfocus com Subject: A bit strange ARP queries Good day! Has anyone seen such ARP packets? I am a bit curious, because we have no strange hardware that will set the target hardware address in the who-has ARP packet. Are there any attacks that using such packets? ----- 15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell the-requester 15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell the-requester 15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:02.913314 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:03.915013 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:04.915854 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:25.962925 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:26.966171 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:30:26.991402 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:31:01.025945 arp who-has the-host-in-question (7:1c:c3:0:72:8c) tell the-requester 15:31:01.040650 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:32:01.308911 arp who-has the-host-in-question (4:f9:50:10:ff:ff) tell the-requester 15:32:01.319515 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:33:01.448065 arp who-has the-host-in-question (0:b0:2:0:25:f) tell the-requester 15:33:02.448924 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:33:02.573582 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:34:00.568785 arp who-has the-host-in-question (0:b0:2:0:25:f) tell the-requester 15:34:01.569537 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell the-requester 15:34:01.625362 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:35:00.836038 arp who-has the-host-in-question (0:0:1f:0:a:c7) tell the-requester 15:35:00.956094 arp reply the-host-in-question is-at 0:d:88:e6:db:dc 15:36:12.412916 arp who-has the-host-in-question (94:eb:ed:1a:71:fb) tell the-requester 15:36:12.423227 arp reply the-host-in-question is-at 0:d:88:e6:db:dc ----- 'the-host-in-question' and 'the-requester' are, of course, IP addresses. Thanks! -- rea BOFH excuse #158: Defunct processes
Current thread:
- RE: A bit strange ARP queries, (continued)
- RE: A bit strange ARP queries Jason Burton (Dec 17)
- Re: A bit strange ARP queries wayne dawson (Dec 17)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- RE: A bit strange ARP queries Craig Skelton (Dec 17)
- RE: A bit strange ARP queries Jeroen van Meeuwen (Dec 17)
- Re: A bit strange ARP queries Samuel R. Baskinger (Dec 21)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- Re: A bit strange ARP queries Tillmann Werner (Dec 17)
- Re: A bit strange ARP queries Jeff Kell (Dec 17)
- RE: A bit strange ARP queries Paul Farrington (Dec 17)
- RE: A bit strange ARP queries Dave Hawkins (Dec 19)
- RE: A bit strange ARP queries Koike, Rafael Marcelino (Dec 22)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 22)