RE: Code Red, ARP and YOU!!

["Hoyt Plunkett" <hoyt () matmon com>]

Could this be related to a recent Bugtraq posting by Paul Starzetz?  Read
below:

> Hi ppl,

> It is time for a new ´nuke´ - ARPNuke.

> There is an ARP table handling bug in Microsoft Windows protocoll
> stacks. It seems that the arp handling code uses some inefficient data
> structure (maybe a simple linear table?) to manage the ARP entries.
> Sending a huge amount of ´random´ (that is random source IP and
> arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
> lock up. The machine wakes up after the packets stream has been stopped.
>
> The needed traffic is not really high: the attached ARPkill code will
> send an initial sequence of about 10000 ARP packets, then go to ´burst
> mode´ sending definable short burst of random ARP packets every 10 msec.
> The lockup occured at about 80kb/sec (seq about 45) on a PII/350.
>
> Even worse: it seems that is possible to kill a whole subnet using
> broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
> source IP.
>
>
> regards,
>
> Ihq.

Hoyt Plunkett
Development Technologist
Matmon Internet, Inc.
(501) 375-4999

###################################################
 PGP Public Key: http://www.phrenic.org/pgpkey.txt
###################################################

-----Original Message-----
From: Mike Brown [mailto:mikebrown () cfl rr com]
Sent: Sunday, August 05, 2001 11:29 PM
Cc: recipient list not shown: ;
Subject: Code Red, ARP and YOU!!



This may be obvious to many, but it stumped me for 5 or 10 mins, so
allow me to share.
     Today after I got home from work I looked at my cable modem and
it’s data light was blinking like there was no tomorrow. My first
thought, OMG I finally got hacked! And I’m part of a DDoS attack, Wohoo
for me! “About time” I thought, now the fun part. How did they do it?
Well sadly it wasn’t to be. After Much looking I found that no programs
where running that shouldn’t and that there where no connection that
didn’t belong. So I fired up Ethereal and had it listen for 17 seconds.
In those 17 seconds I recorded 474 packets coming and going from my pc.
The fun part is 451 of them are ARP broadcasts. And all of them are
coming from just 2 IP’s.
     My theory is that because on a cable modem network no one ever
needs to contact any other host besides the router none of the hosts
know the other IP’s thus the flood of ARP requests.
     Now the useful part. There was some talk about the moral
implications of scanning others servers, especially from the ISP’s side.
They don’t want to piss anyone off but they don’t want to host the worm
of the day. Well the really passive way to detect the Code Red worm of
any version is to look for the exponential growth in ARP traffic on your
network.
     Now on my network the two offending IP’s are 65.33.140.1  and
24.27.216.1  judging from the last octet they could be routers but the
basic idea holds true, just look on the other side of the routers.
     Now if I’ve missed something incredibly obvious (besides my
spelling and mind) please pardon me, Mike the lowly Tier one tech
support guy. But I think I’ve got something here. Is there any other
reason to see dozens of ARP requests a second coming from the same host?



- Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com