Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Strange ARP scan...
From: Chris Hobbs <chobbs () SILVERVALLEY K12 CA US>
Date: Tue, 13 Mar 2001 10:42:28 -0800
A Linux box (Kernel 2.2.5) on my network (10.168.12.0/22) flooded my
network with ARP requests this morning. The ARP requests appeared to be
covering the entire 10.0.0.0/8 address space, and appeared, from my
capture, to be organized. /24 ranges were scanned alternately in
ascending and descending order. Here's a sample of the packets (from
Etherpeek):

108     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.50 = ?
109     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.51 = ?
110     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.52 = ?
111     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.53 = ?
112     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.54 = ?
113     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.55 = ?
114     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.149000 ARP Req
10.42.188.56 = ?
115     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.128 = ?
116     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.127 = ?
117     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.196000 ARP Req
10.42.185.126 = ?
118     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.125 = ?
119     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.124 = ?
120     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.123 = ?
121     00:A0:CC:39:3D:B1       Ethernet Broadcast      64      08:54:28.197000 ARP Req
10.42.185.122 = ?

I've not had a chance to scour the box yet for incriminating evidence -
I'm hoping something could have just broke to cause this, but that's not
what my gut is telling me :/ A panicked reboot stopped the immediate
problem. Any suggestions would be appreciated.

--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:    http://www.silvervalley.k12.ca.us/chobbs/
postmaster:               chobbs () silvervalley k12 ca us

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]