NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2005-12

Re: A bit strange ARP queries

From: Tillmann Werner (tillmann.wernergmx.de)
Date: Fri Dec 16 2005 - 12:29:31 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rea,

that trace is more than a bit strange and should be really alarming. One can
do lots of dirty things abusing ARP.

> Has anyone seen such ARP packets? I am a bit curious, because we have no
> strange hardware that will set the target hardware address in the who-has
> ARP packet. Are there any attacks that using such packets?

Mapping the MAC addresses to vendors - i.e., using
<http://standards.ieee.org/regauth/oui/index.shtml> - fails, except for
0:0:1f:0:a:c7 (and the replies, of course).

Another interesting thing is that some of the MAC addresses are multicast
addresses (the lsb of the first octet is 1). That would at least explain the
failed mappings, but as far as I know it makes no sense to send frames with a
multicast source address. Furthermore, these addresses are not well-known,
comparing to <http://www.cavebear.com/CaveBear/Ethernet/multicast.html>.

An slight idea is that there is some system writing crap on the wire,
interpreted as ARP by tcpdump. I have seen such cases before... this is
really hard to detect.

Answering the following questions might help you during further investigation

  o Do you see those requests just in a single broadcast domain?
  o Is that a switched network?
  o What's the link layer protocol? Ethernet?
  o What protocols do you run in the involved networks
      (ipv4, ipv6, routing protocols, ...)?
  o Does a full hexdump provide more details (tcpdump -X)?
  o Is the IP address in the ARP requests assigned in your network?
  o Has anything changed in network setup?

Hope my understanding of ARP and MAC is right. :-)

Tillmann

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUAQ6MHkX195S4iyWW4AQLz8Af/cez9DUbjze17BJf5EhSze5NGNOrehGXZ
LgnMabY34BLspx1gQrB+Nn+y77ozFOqCH3frrkE6eeTipfNLMOTC+qrHbV9y6MIU
fiE1nBiYteJ7/nVNvhgz34hIM4YVVQZ76JM7GC6DVu36zhz1D27c2xJnT4RawbIh
IyoYaSvhRZM5Ak7ogvy5gd03cdMIos5/MrcROOxUPrVWxhFv6hKl2oS0v5w2DIkP
EDRJhG+ItfQJQ2dGvN55F0lN7jOPQ0uA46HcQo+IXvEiXLJ6gpMtKVs8E4YxQZjX
AcK/Ni9wMcjLLmVSo7QZk9XWRHWCbA32n6oAFsbdgNbTQ7FGQ3WgKg==
=NfFj
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]