Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Weird ARP Replies, maybe exploit?

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: Weird ARP Replies, maybe exploit?
Date: Wed, 01 Jun 2005 13:56:05 -0400 
On Tue, 31 May 2005 17:45:11 +0200, "Marksteiner, Stefan" said:


Although there seem (regarding to a sniffer-session via a mirror port)
to be no ARP-Requests at all, several thousand Replies a day go from the
MAC and IP (in both the Frame Header and Payload) of an Enterasys
Vertical Horizon Switch Stack (which I'm almost sure it's not the true
sender) to a Broadcast IP and MAC (also header & payload).
 
Of course our IDS fires alarms all the time because a ARP-Reply to a
Broadcast normally shouldn't occur.


This can happen if the offending machine has a busticated netmask - if
you're on 192.168.10.0/24 (for example), and one box has its netmask
set for /23, it will think the broadcast addr is 192.168.11.255 rather
than 192.168.10.255 - and it will try to reply to the not-seen-as-broadcast
packets.


The most interesting thing is that there seem to be HTTP-Requests in the
Padding (of course this really confuses me) of each frame.


This may just be old gear that has an information leakage issue - some older
network drivers failed to zero trailing space on short packets. See:

http://www.atstake.com/research/advisories/2003/a010603-1.txt

If it looks like the problem is something else, feel free to speak up.. ;)

Attachment: pgpWL37SbP9zy.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Weird ARP Replies, maybe exploit?, caveda
Next by Thread:  Re: Weird ARP Replies, maybe exploit?, caveda
Indexes:  [Date] [Thread] [Top] [All Lists]