Security Incidents mailing list archives
Re: Strange ARP scan...
From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Wed, 14 Mar 2001 08:53:04 -0600
Chris, I'd be willing to bet you that this was an nmap ping scan (from your local network obviously). It produces very similar results. I did this just last week and created one helluva bcast storm thanks to our large, flat network (roughly 2200 nodes, yes, that's just plain dumb). $ nmap -sP 10.0.0.0/8 Now wether this is malicious or not, I can't say. Another item that can cause this is network printer admin tools. The old HP Jet Admin app used to do something this stupid too (maybe the newest one too). Enterasys has a TechTip about it. http://www.enterasys.com/support/techtips/an0155-9.html An unrelated note is that some ignorant printer admin tools send an SNMP GetRequest to the bcast address. That's just plain dumb. Anyhow, hope this helps some. Justin On 3/13/01 12:42 PM Chris Hobbs said...
A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my network with ARP requests this morning. The ARP requests appeared to be covering the entire 10.0.0.0/8 address space, and appeared, from my capture, to be organized. /24 ranges were scanned alternately in ascending and descending order. Here's a sample of the packets (from Etherpeek): 108 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.50 = ? 109 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.51 = ? 110 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.52 = ? 111 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.53 = ? 112 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.54 = ? 113 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.55 = ? 114 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.149000 ARP Req 10.42.188.56 = ? 115 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.128 = ? 116 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.127 = ? 117 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.196000 ARP Req 10.42.185.126 = ? 118 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.125 = ? 119 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.124 = ? 120 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.123 = ? 121 00:A0:CC:39:3D:B1 Ethernet Broadcast 64 08:54:28.197000 ARP Req 10.42.185.122 = ? I've not had a chance to scour the box yet for incriminating evidence - I'm hoping something could have just broke to cause this, but that's not what my gut is telling me :/ A panicked reboot stopped the immediate problem. Any suggestions would be appreciated. -- Chris Hobbs Silver Valley Unified School District Head geek: Technology Services Coordinator webmaster: http://www.silvervalley.k12.ca.us/chobbs/ postmaster: chobbs () silvervalley k12 ca us
-- Justin Shore, ES Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/ Warning: This message has been quadruple Rot13'ed for your protection.
Current thread:
- Strange ARP scan... Chris Hobbs (Mar 13)
- Re: Strange ARP scan... Ryan Russell (Mar 14)
- <Possible follow-ups>
- Re: Strange ARP scan... Justin Shore (Mar 14)