Re: Weird ARP Replies, maybe exploit?

[Valdis.Kletnieks () vt edu]

On Tue, 31 May 2005 17:45:11 +0200, "Marksteiner, Stefan" said:

> Although there seem (regarding to a sniffer-session via a mirror port)
> to be no ARP-Requests at all, several thousand Replies a day go from the
> MAC and IP (in both the Frame Header and Payload) of an Enterasys
> Vertical Horizon Switch Stack (which I'm almost sure it's not the true
> sender) to a Broadcast IP and MAC (also header & payload).
>  
> Of course our IDS fires alarms all the time because a ARP-Reply to a
> Broadcast normally shouldn't occur.

This can happen if the offending machine has a busticated netmask - if
you're on 192.168.10.0/24 (for example), and one box has its netmask
set for /23, it will think the broadcast addr is 192.168.11.255 rather
than 192.168.10.255 - and it will try to reply to the not-seen-as-broadcast
packets.

> The most interesting thing is that there seem to be HTTP-Requests in the
> Padding (of course this really confuses me) of each frame.

This may just be old gear that has an information leakage issue - some older
network drivers failed to zero trailing space on short packets. See:

http://www.atstake.com/research/advisories/2003/a010603-1.txt

If it looks like the problem is something else, feel free to speak up.. ;)

Attachment: _bin
Description: