Re: Strange traffic ....

[John Sage <jsage () finchhaven com>]

Just a thought:

This was a symptom of some common collateral damage from CodeRed; what 
you're seeing maybe the same sort of deal for Nimda (although CodeRed 
probes are still around, heaven knows..)

Depending on configuration, some cable modem systems tend to think that 
an unusually wide range of IP addresses are to be properly included in 
the range of ARP (Address Resolution Protocol) requests, which are most 
commonly found internally on LAN's.

These ARP storms apparently made some cable systems in the US virtually 
unusable for days..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Elie De Brauwer wrote:

> When i booted my firewall today, (OpenBSD machine hooked up using an cable 
> modem), i saw strange traffic on my cable modem (blinking RD lights while i 
> knew no traffic was coming in ....). So I logged in and ran TCPdump ... below 
> are the result can anyone explain these ... ? My IP is 213.224.1xx.xxx ....
>
> 11:20:54.626314 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:20:56.686464 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:20:58.238345 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:21:00.808768 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:21:02.879542 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:21:04.290517 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be
> 11:21:04.830205 arp who-has D5E06403.kabel.telenet.be tell 
> D5E06401.kabel.telenet.be



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com