Personal stats on satx.rr.com ARP traffic

[Richard Bejtlich <richard () taosecurity com>]

Hi all,

Code Red continues to amaze.  First I was surprised by the hundreds of 
individual IPs scanning my single, no-web-server IP (about 700/day the 
last three days).  Now I'm floored by the ARP traffic.  First I 
collected 1000 ARP packets to see how fast they were arriving:

21:58:37.540138 arp who-has 24.160.158.68 tell 24.160.158.1
21:58:37.581758 arp who-has 24.167.113.97 tell 24.167.112.1
21:58:37.618142 arp who-has 66.69.10.33 tell 66.69.10.1
21:58:37.708154 arp who-has 24.162.168.66 tell 24.162.168.1
....continues...
21:59:38.586001 arp who-has 24.162.169.18 tell 24.162.168.1
21:59:38.806825 arp who-has 24.167.112.82 tell 24.167.112.1
21:59:38.870976 arp who-has 24.162.168.83 tell 24.162.168.1

That's roughly 1000 ARP requests in one minute 1 second, or 16.4 ARP 
requests per second.

Then I collected 10000 ARP packets to see how the longer timespan fared:

22:00:42.877487 arp who-has 24.28.153.143 tell 24.28.153.1
22:00:42.915864 arp who-has 24.162.170.86 tell 24.162.170.1
22:00:43.086824 arp who-has 24.160.136.166 tell 24.160.136.1
22:00:43.143667 arp who-has 24.167.112.235 tell 24.167.112.1
...continues...
22:11:30.739916 arp who-has 24.28.153.98 tell 24.28.153.1
22:11:30.868589 arp who-has 24.160.159.67 tell 24.160.158.1
22:11:31.031757 arp who-has 24.167.113.210 tell 24.167.112.1

That session showed 10000 ARP requests in 10 minutes 48 seconds, or 15.4 
ARP requests per second.

I've never seen anything like this.

Richard
http://taosecurity.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com