RE: Bizarre traffic

["David Gillett" <gillettdavid () fhda edu>]

  There is progress.  The suspect traffic turns out to be *from* 
port 443, not to it as I had erroneously believed my sniffer to
be indicating.
  I've also now captured the bogie responding to ARP requests
for the servers in question -- this looks close enough to how
Ettercap behaves that I'm now treating it as that.

  The disruption is occurring because, have ARP-poisoned traffic
into coming to its port, the bogie is forwarding it via a local
broadcast.  Except this is on a large VLAN, and that broadcast 
traffic is flooding the whole network....

  NOW, all I have to do is catch the %$@$ machine.  I had black-
holed the MAC address at the switch where the traffic first
appeared, but today it was back from somewhere else.

David Gillett
 

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu] 
> Sent: Thursday, February 09, 2006 9:57 AM
> To: incidents () securityfocus com
> Subject: Bizarre traffic
>
>   Does anybody know of anything (malware, hackware, other?) 
> that would cause a machine to put out traffic with the first 
> octet of the destination address (re)set to ZERO?
>
>   The traffic I saw all was headed for port 443, and wasn't 
> decipherable.  The variation in packet size looked like a 
> real conversation, although return packets (if any) weren't 
> passing my sniffer.  The destination addresses, sans the 
> bogus first octet, looked like addresses of a couple of real 
> internal servers (source address was internal) -- which, 
> however, do not have HTTPS service active.
>
>   [This traffic correlated with various intermittent 
> disruptions of our network, which stopped when the source 
> machine dropped off the network.  It later reappeared -- and 
> so did a brief disruption -- long enough for me to pinpoint 
> and ban it.]
>
> David Gillett