Network Security: Detailed info on RE: A bit strange ARP queries

Subject:	RE: A bit strange ARP queries
Date:	Wed, 21 Dec 2005 18:22:49 -0200

Where this is happening? LAN?

The IP who is requesting the arp's is know by you?

What can be happing is a machine that is trying to flood the MAC table
of the local switch and making the switch work like a HUB, then the
attacker can sniffer the network and get the information that they want.

This can be a defective network card. (Less probable)


-----Original Message-----
From: Eygene A. Ryabinkin [mailto:rea@rea.mbslab.kiae.ru] 
Sent: quinta-feira, 15 de dezembro de 2005 13:06
To: incidents@securityfocus.com
Subject: A bit strange ARP queries

  Good day!

 Has anyone seen such ARP packets? I am a bit curious, because we have
no
strange hardware that will set the target hardware address in the
who-has
ARP packet. Are there any attacks that using such packets?
-----
15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell
the-requester

15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell
the-requester

15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:02.913314 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:03.915013 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:04.915854 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:25.962925 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:26.966171 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:30:26.991402 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:31:01.025945 arp who-has the-host-in-question (7:1c:c3:0:72:8c) tell
the-requester

15:31:01.040650 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:32:01.308911 arp who-has the-host-in-question (4:f9:50:10:ff:ff) tell
the-requester

15:32:01.319515 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:33:01.448065 arp who-has the-host-in-question (0:b0:2:0:25:f) tell
the-requester

15:33:02.448924 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:33:02.573582 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:34:00.568785 arp who-has the-host-in-question (0:b0:2:0:25:f) tell
the-requester

15:34:01.569537 arp who-has the-host-in-question (2e:2f:30:31:32:33)
tell the-requester

15:34:01.625362 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:35:00.836038 arp who-has the-host-in-question (0:0:1f:0:a:c7) tell
the-requester

15:35:00.956094 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:36:12.412916 arp who-has the-host-in-question (94:eb:ed:1a:71:fb)
tell the-requester

15:36:12.423227 arp reply the-host-in-question is-at 0:d:88:e6:db:dc
-----
 'the-host-in-question' and 'the-requester' are, of course, IP
addresses.

  Thanks!
-- 
 rea

BOFH excuse #158:
Defunct processes

<Prev in Thread]	Current Thread	[Next in Thread>
RE: A bit strange ARP queries, (continued) RE: A bit strange ARP queries, Jason Burton Re: A bit strange ARP queries, wayne dawson Re: A bit strange ARP queries, Eygene A. Ryabinkin RE: A bit strange ARP queries, Craig Skelton RE: A bit strange ARP queries, Jeroen van Meeuwen Re: A bit strange ARP queries, Samuel R. Baskinger Re: A bit strange ARP queries, Tillmann Werner Re: A bit strange ARP queries, Jeff Kell RE: A bit strange ARP queries, Paul Farrington RE: A bit strange ARP queries, Dave Hawkins RE: A bit strange ARP queries, Koike, Rafael Marcelino <= Re: A bit strange ARP queries, Eygene A. Ryabinkin

Previous by Date:	Re: A bit strange ARP queries, Samuel R. Baskinger
Next by Date:	Re: A bit strange ARP queries, Eygene A. Ryabinkin
Previous by Thread:	RE: A bit strange ARP queries, Dave Hawkins
Next by Thread:	Re: A bit strange ARP queries, Eygene A. Ryabinkin
Indexes:	[Date] [Thread] [Top] [All Lists]