Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Weird ARP Replies, maybe exploit?

from [Marksteiner, Stefan] Network Security [Permanent Link]
Subject: Weird ARP Replies, maybe exploit?
Date: Tue, 31 May 2005 17:45:11 +0200 

Hi all,

 
I have a series of weird ARP-Replies flooding our network. 

Although there seem (regarding to a sniffer-session via a mirror port)
to be no ARP-Requests at all, several thousand Replies a day go from the
MAC and IP (in both the Frame Header and Payload) of an Enterasys
Vertical Horizon Switch Stack (which I'm almost sure it's not the true
sender) to a Broadcast IP and MAC (also header & payload).
 
Of course our IDS fires alarms all the time because a ARP-Reply to a
Broadcast normally shouldn't occur.

The most interesting thing is that there seem to be HTTP-Requests in the
Padding (of course this really confuses me) of each frame.

The HTTP-codes look like: "GET /mall/", "GET /mall/stuv", etc. which
occasionally appear between non-printable code in the padding. It almost
looks like some HTTP-packet was split and stuffed into the padding of
the certainly false replies.


Could this be part of an exploit or severe configuration fault?

I'm grateful for any clues in this case.

 
 

Sincerely,
Steve
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Weird ARP Replies, maybe exploit?, Marksteiner, Stefan <=
Previous by Date:  Re: Suspicious traffic w src & dst port 19161, tony sena
Previous by Thread:  Re: Suspicious traffic w src & dst port 19161, tony sena
Indexes:  [Date] [Thread] [Top] [All Lists]