Re: ARP "Who has (one address)" > "Tell (many different, random IP's)"

--On Thursday, October 28, 2004 09:09:33 AM -0500 Les Yaw 
<yawles@xxxxxxxxxx> wrote:

> We're a "residential college" with over 2,700 college students with their
> own computers on our "ResNet."  We seem to be under attack from within.
> My Senior Sys Admin looked on the firewall's tcpdump activity shows
> massive quantities of ARP traffic, which ask "Who has (one single
> internal IP address)" with a destination of "Tell (multiple, random
> internal IP addresses)."
> We're with the belief this is the activity of a slew of zombie computers
> on our network.
>
> Has anyone ever seen such activity?

We've seen massive ARP traffic in our student residences, but not of the 
nature that you describe.

> Can you tell us what the name of this trojan/worm/viruii is?

No.  If you can identify an infected host and your antivirus won't detect 
the malware, send a sample to your AV vendor.

> How can we detect this?

I don't believe snort has the capability of detecting ARP traffic at this 
time.  We are using a perl script that uses tcpdump to identify hosts 
generating excessive traffic.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/