Penetration Testing mailing list archives
Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP A RP Throttled)
From: Dom De Vitto <dom () DEVITTO COM>
Date: Thu, 22 Mar 2001 11:10:18 -0000
I'd put money on it, a Sunscreen, lucent bridge or Openbsd box I'd say. You may b able to determine the ruleset by doing a big portscan, and/or fragmenting and/or firewalking (not firewalking the bridge! firewalking a router behind the bridge) Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd. mailto:dom () devitto com Mob. +44 7971 589 201 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | -----Original Message----- | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf | Of Schaubach, Stephen | Sent: 21 March 2001 19:54 | To: PEN-TEST () SECURITYFOCUS COM | Subject: Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP | A RP Throttled) | | | Just a guess but could it be a transparent bridge in between? | | -----Original Message----- | From: Mike Ahern [mailto:mc_ahern () YAHOO COM] | Sent: Wednesday, March 21, 2001 10:45 AM | To: PEN-TEST () SECURITYFOCUS COM | Subject: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP ARP | Throttled) | | | I have recently experienced a wierd situation when | attempting to port scan and pen test a remote | international location of a large corporation. | | I can port scan the remote router ok. I can telnet | into the remote router ok. I can telnet to remote | devices ok from the remote router. I can telnet from | the remote devices back thru the network to my hosts. | The arp cache of the far end router shows the MAC | addresses of the remote devices, so there doesn't | appear to be anything in between. | | However when I port scan the remote devices the remote | router scans ok, but all other devices actually end up | on the scan either not responding or are showing that | my packets are hitting the firewall at the end of the | default route for our network (this includes hosts | that exist, that have routes, are online and able to | communicate otherwise). The only exception in addition | to the remote router are two HP Jet Direct print | servers, which I can scan and telnet to from here. | | I cannot directly ping or telnet hosts on the remote | network other than the remote router and these HP Jet | Direct print servers from where I am. I can hit every | remote host from the remote router however. Routing is | ok within the network, looking at the routing tables, | and the remote cisco router has a minimal config with | eigrp progagated route tables. | | The CRUX of the ISSUE: | I am getting the following error on the remote Cisco | router, with the router having TCP debug enabled for | each host exhibiting this problem: | "IP ARP throttled out the ARP Request for | 10.xxx.xxx.2" | | The only thing I can find on the net are a few deja | news/google searchable posts for people with Token | Ring to Ethernet tranlational bridging problems. | | The remote site does have both Ethernet and Token | Ring, and does have multiple routers, switches, source | route bridges, multihomed hosts, etc.. | | Anyone ever seen anything like this? It is pretty | bizarre, and I have spent a good amount of time | testing the routes, possible proxy issues (there are | none), etc.. | | My guess is that it is either a setup problem in the | remote Cisco related to translational bridging perhaps | (even tho we are routing), or perhaps something on the | far end network misconfigured or doing a poor job of | translational bridging. That is just a guess, and I | would be pleased to stand corrected by anyone who has | seen this before and can explain it to me. | | | So my questions... | | What does "IP ARP Throttled" mean? When does it happen | and what causes it? Is there something I can do to | either mitigate this problem, or identify what is | generating this error? | | Many Thanks in advance for any help! | | | - mike | | | | | | | | | __________________________________________________ | Do You Yahoo!? | Get email at your own domain with Yahoo! Mail. | http://personal.mail.yahoo.com/
Current thread:
- Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP A RP Throttled) Schaubach, Stephen (Mar 21)
- Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP A RP Throttled) Dom De Vitto (Mar 22)