Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP o

From: <Rocky.Jenkins () emich edu>(Rocky Jenkins)
Date: Thu, 9 Aug 2001 18:55:09 EDT

The discussion on this list has been very active tonight.  (The one that I forwarded this message from...)  I just 
thought I'd pass it along as interesting.

Thanks!
Rocky


---------
Rocky Jenkins
Director IT, Network and Web Services
Information and Communications Technology Division
Eastern Michigan University

- - - - - - - - - - - - - - Original Message - - - - - - - - - - - - - -
From: "Reeves, Michael (GEAE, Compaq)" <michael.reeves () ae ge com>
Subject: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wi
Date: 08/09/01 08:29

Forwarded to:      Rocky Jenkins@MGT@UC
          cc:      vince@ts@uc
Comments by:       John French@TS@UC
Comments:      


While it's possible that we both interpreted an attack in different ways, I think this is a different issue.

The traffic floods we were seeing consisted specifically of SMB "Xact" traffic, which appeared to be a broadcasted 
"browse" request, and every machine on the Microsoft Network replied with an answer (or possibly a broadcast query of 
its own - I'm not sure).  There didn't appear to be any "faked" address though.  We sniffed on several machines, and 
they were the ones actually responding.  Additionally, we didn't really reset any machines to fix the trouble.

It's certainly worth keeping an eye out for, though...

   =======================================================================      
Forwarded to:      john french@ts@uc,vince tocco@ts@uc
          cc:      
Comments by:       Rocky Jenkins@MGT@UC
Comments:      


Guys - this sounds kind of similar to the problem Allyn experienced yesterday.  Is it similar?  Or is it my imagination?

Rocky
---------
Rocky Jenkins
Director IT, Network and Web Services
Information and Communications Technology Division
Eastern Michigan University
   -------------------------- [Original Message] -------------------------      
SUBJECT too long. Original SUBJECT is
DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95?


----------------------  Original Message Follows  ----------------------

Yesterday we had a machine that caused a nasty ARP storm and started
snagging DHCP addresses as fast as it could (stealing addresses). It was
ARPing as if it were every machine on the network. It was a windows 95 box
and was immediately pulled off of the network. Once the machine was rebooted
it stopped. Doing a quick onceover on the machine and looking through the
registry I didn't see anything that seemed suspect. I have seen bad NICs
cause broadcast storms but this is a first for me. If anyone knows of any
exploits or seen anything like this as a hardware failure could ya let me
know.

Thanks,

Mike Reeves
Security Administrator

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: