Security Incidents mailing list archives
Weird ARP Replies, maybe exploit?
From: "Marksteiner, Stefan" <stefan.marksteiner () joanneum at>
Date: Tue, 31 May 2005 17:45:11 +0200
Hi all, I have a series of weird ARP-Replies flooding our network. Although there seem (regarding to a sniffer-session via a mirror port) to be no ARP-Requests at all, several thousand Replies a day go from the MAC and IP (in both the Frame Header and Payload) of an Enterasys Vertical Horizon Switch Stack (which I'm almost sure it's not the true sender) to a Broadcast IP and MAC (also header & payload). Of course our IDS fires alarms all the time because a ARP-Reply to a Broadcast normally shouldn't occur. The most interesting thing is that there seem to be HTTP-Requests in the Padding (of course this really confuses me) of each frame. The HTTP-codes look like: "GET /mall/", "GET /mall/stuv", etc. which occasionally appear between non-printable code in the padding. It almost looks like some HTTP-packet was split and stuffed into the padding of the certainly false replies. Could this be part of an exploit or severe configuration fault? I'm grateful for any clues in this case. Sincerely, Steve
Current thread:
- Weird ARP Replies, maybe exploit? Marksteiner, Stefan (May 31)