Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, ra

from [Williams Jon] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, random IP's)"
Date: Thu, 28 Oct 2004 13:20:15 -0500 
Just thinking out loud here...

Wouldn't this behavior (multiple hosts all doing lookups for a single IP
address) be an indication that there was some service running on that
one host?  Have you checked the IP address that everyone's looking up to
see if they're running a web/p2p/music/whatever server?

Jon

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Matt
Kettler
Sent: Thursday, October 28, 2004 11:45 AM
To: yawles@luther.edu; snort-sigs@lists.sourceforge.net
Cc: Adam Forsyth; Jeff Williams
Subject: Re: [Snort-sigs] ARP "Who has (one address)" > "Tell (many
different, random IP's)"

At 09:09 AM 10/28/2004, Les Yaw wrote:

We're a "residential college" with over 2,700 college students with 
their own computers on our "ResNet."  We seem to be under attack from 
within.  My Senior Sys Admin looked on the firewall's tcpdump activity 
shows massive quantities of ARP traffic, which ask "Who has (one single



internal IP address)" with a destination of "Tell (multiple, random 
internal IP addresses)."
We're with the belief this is the activity of a slew of zombie 
computers on our network.

Has anyone ever seen such activity?
Can you tell us what the name of this trojan/worm/viruii is?


It would be impossible from that alone to tell if there was a trojan,
worm or virus at work, much less which one.

Normaly a worm like slammer is going to have the oposite relationship.
One host will be asking lots of who has questions for a variety of
hosts.

         i: ARP who has (multiple random internal IPs) tell (one single
internal IP)


Is the one single internal IP address one of your gateways or servers?
If 
so, that's entirely normal. All the hosts in your network are going to
have 
to arp for it. Windows machines will re-arp about once every 5 minutes,
so 
this gets to be a lot of arps on a large network.

Really your best action for that is creating different subnets (even if 
only on VLANs using a managed routing switch) to control the scope of 
broadcasts to a hundred machines or so at a time.





-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, random IP's)", Paul Schmehl
Next by Date:  Re: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, random IP's)", Matt Kettler
Previous by Thread:  Re: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, random IP's)", Paul Schmehl
Next by Thread:  RE: [Snort-sigs] ARP "Who has (one address)" > "Tell (many different, random IP's)", hchemin
Indexes:  [Date] [Thread] [Top] [All Lists]