Re: ARP "Who has (one address)" > "Tell (many different, random IP's)"

At 09:09 AM 10/28/2004, Les Yaw wrote:
> We're a "residential college" with over 2,700 college students with their 
> own computers on our "ResNet."  We seem to be under attack from 
> within.  My Senior Sys Admin looked on the firewall's tcpdump activity 
> shows massive quantities of ARP traffic, which ask "Who has (one single 
> internal IP address)" with a destination of "Tell (multiple, random 
> internal IP addresses)."
> We're with the belief this is the activity of a slew of zombie computers 
> on our network.
>
> Has anyone ever seen such activity?
> Can you tell us what the name of this trojan/worm/viruii is?

It would be impossible from that alone to tell if there was a trojan, worm 
or virus at work, much less which one.

Normaly a worm like slammer is going to have the oposite relationship. One 
host will be asking lots of who has questions for a variety of hosts.

        i: ARP who has (multiple random internal IPs) tell (one single 
internal IP)


Is the one single internal IP address one of your gateways or servers? If 
so, that's entirely normal. All the hosts in your network are going to have 
to arp for it. Windows machines will re-arp about once every 5 minutes, so 
this gets to be a lot of arps on a large network.

Really your best action for that is creating different subnets (even if 
only on VLANs using a managed routing switch) to control the scope of 
broadcasts to a hundred machines or so at a time.





-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/