Security Incidents mailing list archives
Re: A bit strange ARP queries
From: Tillmann Werner <tillmann.werner () gmx de>
Date: Fri, 16 Dec 2005 19:29:31 +0100
Rea, that trace is more than a bit strange and should be really alarming. One can do lots of dirty things abusing ARP.
Has anyone seen such ARP packets? I am a bit curious, because we have no strange hardware that will set the target hardware address in the who-has ARP packet. Are there any attacks that using such packets?
Mapping the MAC addresses to vendors - i.e., using <http://standards.ieee.org/regauth/oui/index.shtml> - fails, except for 0:0:1f:0:a:c7 (and the replies, of course). Another interesting thing is that some of the MAC addresses are multicast addresses (the lsb of the first octet is 1). That would at least explain the failed mappings, but as far as I know it makes no sense to send frames with a multicast source address. Furthermore, these addresses are not well-known, comparing to <http://www.cavebear.com/CaveBear/Ethernet/multicast.html>. An slight idea is that there is some system writing crap on the wire, interpreted as ARP by tcpdump. I have seen such cases before... this is really hard to detect. Answering the following questions might help you during further investigation o Do you see those requests just in a single broadcast domain? o Is that a switched network? o What's the link layer protocol? Ethernet? o What protocols do you run in the involved networks (ipv4, ipv6, routing protocols, ...)? o Does a full hexdump provide more details (tcpdump -X)? o Is the IP address in the ARP requests assigned in your network? o Has anything changed in network setup? Hope my understanding of ARP and MAC is right. :-) Tillmann
Attachment:
_bin
Description:
Current thread:
- A bit strange ARP queries Eygene A. Ryabinkin (Dec 15)
- Re: A bit strange ARP queries incidents (Dec 17)
- RE: A bit strange ARP queries Jason Burton (Dec 17)
- Re: A bit strange ARP queries wayne dawson (Dec 17)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- RE: A bit strange ARP queries Craig Skelton (Dec 17)
- RE: A bit strange ARP queries Jeroen van Meeuwen (Dec 17)
- Re: A bit strange ARP queries Samuel R. Baskinger (Dec 21)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- Re: A bit strange ARP queries Tillmann Werner (Dec 17)
- Re: A bit strange ARP queries Jeff Kell (Dec 17)
- <Possible follow-ups>
- RE: A bit strange ARP queries Paul Farrington (Dec 17)
- RE: A bit strange ARP queries Dave Hawkins (Dec 19)
- RE: A bit strange ARP queries Koike, Rafael Marcelino (Dec 22)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 22)