Just a thought: This was a symptom of some common collateral damage from CodeRed; what you're seeing maybe the same sort of deal for Nimda (although CodeRed probes are still around, heaven knows..) Depending on configuration, some cable modem systems tend to think that an unusually wide range of IP addresses are to be properly included in the range of ARP (Address Resolution Protocol) requests, which are most commonly found internally on LAN's. These ARP storms apparently made some cable systems in the US virtually unusable for days.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsageat_private "The web is so, like, five minutes ago..." Elie De Brauwer wrote: > When i booted my firewall today, (OpenBSD machine hooked up using an cable > modem), i saw strange traffic on my cable modem (blinking RD lights while i > knew no traffic was coming in ....). So I logged in and ran TCPdump ... below > are the result can anyone explain these ... ? My IP is 213.224.1xx.xxx .... > > 11:20:54.626314 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:20:56.686464 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:20:58.238345 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:21:00.808768 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:21:02.879542 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:21:04.290517 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be > 11:21:04.830205 arp who-has D5E06403.kabel.telenet.be tell > D5E06401.kabel.telenet.be > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:24:29 PDT