I posted this to Bugtraq last night but it got rejected. :P Anyways, if cable modem users are seeing drastically increased ARPing, the targeting of the Code Red III variant should explain it -- hitting non-existent addresses on your subnet will cause the CMTS<->headend router to ARP out to see who's got that address, you get the picture. At the very least, it's a good opportunity for users to see how many modems your provider has packed onto your segment. If they've packed too many on there, you can be sure the CMTS router's going to get seriously bogged down. I have an automated program which sends the IP addresses to the ARIS list *and* to my ISP's security department (those IP's which fall under their management) -- I wonder if ISP's are considering just dropping all packets from infected hosts, so when the customer comes to them and complains, they say "Oh, you're infected, reboot, install the patch, and we'll reconnect you." Seems that this would reduce the load on the CMTS and would be faster than trying to track down each customer individually. Chad Loder Rapid 7, Inc. - Next generation security products and services http://www.rapid7.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 13:22:03 PDT