Bugtraq mailing list archives
RARP attack?
From: pashdown () xmission com (Pete Ashdown)
Date: Mon, 24 Jun 1996 16:47:48 -0600
We just had a rather specialized attack that I thought I would mention to the list. Our network connects in via ether to our provider whom which we share the same building with. The provider also colocates several servers (web servers and such) that probably have rather minimal security if any. It looks as if someone broke into one of these other machines, then started sending out bogus RARP packets. I had been experiencing a weird packet loss that I couldn't track down for the past few weeks, but today and yesterday several of our Suns were not reachable at all from the provider's Cisco. After a bit of noodling around, I cleared the ARP cache on their Cisco and things came back fine. Replacing the cached entries for the boxes on our network with statics solidified the situation. The only question I have for the list is why someone would do this? They hit some of our Suns, but not all of them, and none of our routers or terminal servers were affected. I believe it wasn't a spoofing attack since the MAC addresses were bogus and didn't resolve to anything. All I can think is that someone just wanted to bring us down, and nothing else.
Current thread:
- RARP attack? Pete Ashdown (Jun 24)
- Re: RARP attack? Adam Morrison (Jun 25)
- Re: RARP attack? Darren Reed (Jun 25)
- <Possible follow-ups>
- Re: RARP attack? Pete Ashdown (Jun 25)