Security Incidents mailing list archives

Strange ARP scan...

From: Chris Hobbs <chobbs () SILVERVALLEY K12 CA US>
Date: Tue, 13 Mar 2001 10:42:28 -0800

A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my
network with ARP requests this morning. The ARP requests appeared to be
covering the entire 10.0.0.0/8 address space, and appeared, from my
capture, to be organized. /24 ranges were scanned alternately in
ascending and descending order. Here's a sample of the packets (from
Etherpeek):

108     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.50 = ?
109     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.51 = ?
110     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.52 = ?
111     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.53 = ?
112     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.54 = ?
113     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.55 = ?
114     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.56 = ?
115     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.128 = ?
116     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.127 = ?
117     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.126 = ?
118     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.125 = ?
119     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.124 = ?
120     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.123 = ?
121     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.122 = ?

I've not had a chance to scour the box yet for incriminating evidence -
I'm hoping something could have just broke to cause this, but that's not
what my gut is telling me :/ A panicked reboot stopped the immediate
problem. Any suggestions would be appreciated.

--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:    http://www.silvervalley.k12.ca.us/chobbs/
postmaster:               chobbs () silvervalley k12 ca us

Current thread:

Strange ARP scan... Chris Hobbs (Mar 13)
- Re: Strange ARP scan... Ryan Russell (Mar 14)
- <Possible follow-ups>
- Re: Strange ARP scan... Justin Shore (Mar 14)