The discussion on this list has been very active tonight. (The one that I forwarded this message from...) I just thought I'd pass it along as interesting. Thanks! Rocky --------- Rocky Jenkins Director IT, Network and Web Services Information and Communications Technology Division Eastern Michigan University - - - - - - - - - - - - - - Original Message - - - - - - - - - - - - - - From: "Reeves, Michael (GEAE, Compaq)" <michael.reevesat_private> Subject: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wi Date: 08/09/01 08:29 Forwarded to: Rocky Jenkins@MGT@UC cc: vince@ts@uc Comments by: John French@TS@UC Comments: While it's possible that we both interpreted an attack in different ways, I think this is a different issue. The traffic floods we were seeing consisted specifically of SMB "Xact" traffic, which appeared to be a broadcasted "browse" request, and every machine on the Microsoft Network replied with an answer (or possibly a broadcast query of its own - I'm not sure). There didn't appear to be any "faked" address though. We sniffed on several machines, and they were the ones actually responding. Additionally, we didn't really reset any machines to fix the trouble. It's certainly worth keeping an eye out for, though... ======================================================================= Forwarded to: john french@ts@uc,vince tocco@ts@uc cc: Comments by: Rocky Jenkins@MGT@UC Comments: Guys - this sounds kind of similar to the problem Allyn experienced yesterday. Is it similar? Or is it my imagination? Rocky --------- Rocky Jenkins Director IT, Network and Web Services Information and Communications Technology Division Eastern Michigan University -------------------------- [Original Message] ------------------------- SUBJECT too long. Original SUBJECT is DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95? ---------------------- Original Message Follows ---------------------- Yesterday we had a machine that caused a nasty ARP storm and started snagging DHCP addresses as fast as it could (stealing addresses). It was ARPing as if it were every machine on the network. It was a windows 95 box and was immediately pulled off of the network. Once the machine was rebooted it stopped. Doing a quick onceover on the machine and looking through the registry I didn't see anything that seemed suspect. I have seen bad NICs cause broadcast storms but this is a first for me. If anyone knows of any exploits or seen anything like this as a hardware failure could ya let me know. Thanks, Mike Reeves Security Administrator ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:25:31 PDT