Security Incidents mailing list archives

Re: Strange ARP scan...

From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Wed, 14 Mar 2001 08:53:04 -0600

Chris,
     I'd be willing to bet you that this was an nmap ping scan (from your
local network obviously).  It produces very similar results.  I did this
just last week and created one helluva bcast storm thanks to our large,
flat network (roughly 2200 nodes, yes, that's just plain dumb).

$  nmap -sP 10.0.0.0/8

Now wether this is malicious or not, I can't say.  Another item that can
cause this is network printer admin tools.  The old HP Jet Admin app used
to do something this stupid too (maybe the newest one too).  Enterasys
has a TechTip about it.

http://www.enterasys.com/support/techtips/an0155-9.html

An unrelated note is that some ignorant printer admin tools send an SNMP
GetRequest to the bcast address.  That's just plain dumb.  Anyhow, hope
this helps some.

Justin

On 3/13/01 12:42 PM Chris Hobbs said...

A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my
network with ARP requests this morning. The ARP requests appeared to be
covering the entire 10.0.0.0/8 address space, and appeared, from my
capture, to be organized. /24 ranges were scanned alternately in
ascending and descending order. Here's a sample of the packets (from
Etherpeek):

108    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.50 = ?
109    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.51 = ?
110    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.52 = ?
111    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.53 = ?
112    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.54 = ?
113    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.55 = ?
114    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.56 = ?
115    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.128 = ?
116    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.127 = ?
117    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.126 = ?
118    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.125 = ?
119    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.124 = ?
120    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.123 = ?
121    00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.122 = ?

I've not had a chance to scour the box yet for incriminating evidence -
I'm hoping something could have just broke to cause this, but that's not
what my gut is telling me :/ A panicked reboot stopped the immediate
problem. Any suggestions would be appreciated.

--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:    http://www.silvervalley.k12.ca.us/chobbs/
postmaster:               chobbs () silvervalley k12 ca us




--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.

Current thread:

Strange ARP scan... Chris Hobbs (Mar 13)
- Re: Strange ARP scan... Ryan Russell (Mar 14)
- <Possible follow-ups>
- Re: Strange ARP scan... Justin Shore (Mar 14)