At 09:09 AM 10/28/2004, Les Yaw wrote:
We're a "residential college" with over 2,700 college students with their
own computers on our "ResNet." We seem to be under attack from
within. My Senior Sys Admin looked on the firewall's tcpdump activity
shows massive quantities of ARP traffic, which ask "Who has (one single
internal IP address)" with a destination of "Tell (multiple, random
internal IP addresses)."
We're with the belief this is the activity of a slew of zombie computers
on our network.
Has anyone ever seen such activity?
Can you tell us what the name of this trojan/worm/viruii is?
It would be impossible from that alone to tell if there was a trojan, worm
or virus at work, much less which one.
Normaly a worm like slammer is going to have the oposite relationship. One
host will be asking lots of who has questions for a variety of hosts.
i: ARP who has (multiple random internal IPs) tell (one single
internal IP)
Is the one single internal IP address one of your gateways or servers? If
so, that's entirely normal. All the hosts in your network are going to have
to arp for it. Windows machines will re-arp about once every 5 minutes, so
this gets to be a lot of arps on a large network.
Really your best action for that is creating different subnets (even if
only on VLANs using a managed routing switch) to control the scope of
broadcasts to a hundred machines or so at a time.
-------------------------------------------------------
This Newsletter Sponsored by: Macrovision
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
