Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP A RP Throttled)

From: Dom De Vitto <dom () DEVITTO COM>
Date: Thu, 22 Mar 2001 11:10:18 -0000
I'd put money on it, a Sunscreen, lucent bridge or Openbsd box I'd say.
You may b able to determine the ruleset by doing a big portscan,
and/or fragmenting and/or firewalking (not firewalking the bridge!
firewalking a router behind the bridge)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                              Secure Technologies Ltd. 
  mailto:dom () devitto com                       Mob. +44 7971 589 201  
  http://www.devitto.com                       Fax. +44 8700 548 750  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 

 | -----Original Message-----
 | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
 | Of Schaubach, Stephen
 | Sent: 21 March 2001 19:54
 | To: PEN-TEST () SECURITYFOCUS COM
 | Subject: Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP
 | A RP Throttled)
 | 
 | 
 | Just a guess but could it be a transparent bridge in between?
 | 
 | -----Original Message-----
 | From: Mike Ahern [mailto:mc_ahern () YAHOO COM]
 | Sent: Wednesday, March 21, 2001 10:45 AM
 | To: PEN-TEST () SECURITYFOCUS COM
 | Subject: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP ARP
 | Throttled)
 | 
 | 
 | I have recently experienced a wierd situation when
 | attempting to port scan and pen test a remote
 | international location of a large corporation.
 | 
 | I can port scan the remote router ok. I can telnet
 | into the remote router ok. I can telnet to remote
 | devices ok from the remote router. I can telnet from
 | the remote devices back thru the network to my hosts.
 | The arp cache of the far end router shows the MAC
 | addresses of the remote devices, so there doesn't
 | appear to be anything in between.
 | 
 | However when I port scan the remote devices the remote
 | router scans ok, but all other devices actually end up
 | on the scan either not responding or are showing that
 | my packets are hitting the firewall at the end of the
 | default route for our network (this includes hosts
 | that exist, that have routes, are online and able to
 | communicate otherwise). The only exception in addition
 | to the remote router are two HP Jet Direct print
 | servers, which I can scan and telnet to from here.
 | 
 | I cannot directly ping or telnet hosts on the remote
 | network other than the remote router and these HP Jet
 | Direct print servers from where I am. I can hit every
 | remote host from the remote router however. Routing is
 | ok within the network, looking at the routing tables,
 | and the remote cisco router has a minimal config with
 | eigrp progagated route tables.
 | 
 | The CRUX of the ISSUE:
 | I am getting the following error on the remote Cisco
 | router, with the router having TCP debug enabled for
 | each host exhibiting this problem:
 | "IP ARP throttled out the ARP Request for
 | 10.xxx.xxx.2"
 | 
 | The only thing I can find on the net are a few deja
 | news/google searchable posts for people with Token
 | Ring to Ethernet tranlational bridging problems.
 | 
 | The remote site does have both Ethernet and Token
 | Ring, and does have multiple routers, switches, source
 | route bridges, multihomed hosts, etc..
 | 
 | Anyone ever seen anything like this? It is pretty
 | bizarre, and I have spent a good amount of time
 | testing the routes, possible proxy issues (there are
 | none), etc..
 | 
 | My guess is that it is either a setup problem in the
 | remote Cisco related to translational bridging perhaps
 | (even tho we are routing), or perhaps something on the
 | far end network misconfigured or doing a poor job of
 | translational bridging. That is just a guess, and I
 | would be pleased to stand corrected by anyone who has
 | seen this before and can explain it to me.
 | 
 | 
 | So my questions...
 | 
 | What does "IP ARP Throttled" mean? When does it happen
 | and what causes it? Is there something I can do to
 | either mitigate this problem, or identify what is
 | generating this error?
 | 
 | Many Thanks in advance for any help!
 | 
 | 
 | - mike
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | __________________________________________________
 | Do You Yahoo!?
 | Get email at your own domain with Yahoo! Mail.
 | http://personal.mail.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: