understanding ARP was: RE: [lug] wild activity, don't know why.

Holshouser, David dholshou at ball.com
Thu Aug 9 13:34:57 MDT 2001


I won't be able to be in physical contact with the box for at least a week.
Is there another way to follow ARP activity?

Why would my machine be broadcasting ~40-45 uniq ARP requests per second?
Could this be considered normal during an attack like what we are seeing due
to CR&CRII?

I feel a little uneasy that my machine is putting so much crap out into the
world (at least into the local net). 

Any ideas, things to check / do, or just a better understanding of the ARP
world would be nice.
I thought I understood this system but this just doesn't make sense to me. 


> -----Original Message-----
> From: Michael J. Hammel [mailto:mjhammel at graphics-muse.org]
> Sent: Thursday, August 09, 2001 11:52 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] wild activity, don't know why.
> 
> 
> Thus spoke Holshouser, David
> > I downloaded iptraf and it looks like there is nothing but 
> ARP going across
> > the pipe. I can't tell the to or from addresses though. Is 
> there a way to
> > see if I am the one generating all the arp traffic?
> 
> Sure, shut down the interface.  ARP requests are software 
> driven and if the
> inet connection is down, it won't go out.
> 
> I did this same test here in Houston (Time/Warner cable) and found the
> activity light stayed pretty active (though not solid).  
> There is a lot of
> probing going on right now.
> 
> > Perhaps I've been hacked and I'm being used to DOS the 
> local pipe by ARPing
> > it to death.
> > Or maybe someone else has fallen victim to this fate.
> 
> It's someone else, more than likely, if you're on a Linux box.
> 
> > This doesn't appear to be CodeRed to me. 
> 
> It is.
> 
> > I did get 375 hits from it yesterday and already 45 today, 
> but that doesn't
> > account for a constantly steady activity light.
> 
> I'm running KRUD and set up my gateway box to not accept any incoming
> connections via isinglass (very cool stuff, if you haven't 
> tried it - it's
> from tummy.com).  Incoming connection attempts get logged as 
> rejected in 
> /var/log/messages.  Looking though those I found the IP 
> addresses of the
> hosts who were probing me (which recently turned out to be a 
> bunch on the
> *inside* of Time/Warners network address block).  I telnet'd 
> to those IP
> addresses on port 80 and did "get html", which produces an 
> error and a note
> on which server is running.  Guess what - they're all MS IIS 
> servers.  It's
> code red doing its thing.
> 
> > > further out. Almost all the hits I have been getting are on 
> > > port 80 and 
> > > from the 65.x.x.x address block (where my IP resides).
> 
> Ditto, but on the 66.x.x.x block which is Time/Warners.
> 
> > > AT&T @Home said 
> > > that they were going to block port 80 off from the outside 
> > > world on their 
> > > network. All good and well, but that won't stop computers 
> inside the 
> > > network from scanning.
> 
> Which is where most of the scans are coming from here.
> 
> Interestingly enough, the frequency of the data light flashes 
> has slowed
> slightly over the past week.  It's still pretty active, but 
> not quite so
> bad as on Monday or Tuesday.  There are more frequent pauses now.
> -- 
> Michael J. Hammel           |
> The Graphics Muse           |   I'm not tense, just terribly, 
> terribly alert.
> mjhammel at graphics-muse.org  |
> http://www.graphics-muse.com 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 



More information about the LUG mailing list