Security Incidents mailing list archives
Re: Weird ARP Replies, maybe exploit?
From: Valdis.Kletnieks () vt edu
Date: Wed, 01 Jun 2005 13:56:05 -0400
On Tue, 31 May 2005 17:45:11 +0200, "Marksteiner, Stefan" said:
Although there seem (regarding to a sniffer-session via a mirror port) to be no ARP-Requests at all, several thousand Replies a day go from the MAC and IP (in both the Frame Header and Payload) of an Enterasys Vertical Horizon Switch Stack (which I'm almost sure it's not the true sender) to a Broadcast IP and MAC (also header & payload). Of course our IDS fires alarms all the time because a ARP-Reply to a Broadcast normally shouldn't occur.
This can happen if the offending machine has a busticated netmask - if you're on 192.168.10.0/24 (for example), and one box has its netmask set for /23, it will think the broadcast addr is 192.168.11.255 rather than 192.168.10.255 - and it will try to reply to the not-seen-as-broadcast packets.
The most interesting thing is that there seem to be HTTP-Requests in the Padding (of course this really confuses me) of each frame.
This may just be old gear that has an information leakage issue - some older network drivers failed to zero trailing space on short packets. See: http://www.atstake.com/research/advisories/2003/a010603-1.txt If it looks like the problem is something else, feel free to speak up.. ;)
Attachment:
_bin
Description:
Current thread:
- Re: Weird ARP Replies, maybe exploit? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: Weird ARP Replies, maybe exploit? caveda (Jun 02)