[TriLUG] RoadRunner issue - arp flood?

Steve Kuekes steve at kuekes.homeip.net
Tue Dec 24 14:48:56 EST 2002 

You got it right....

Its the Nimbda virus, et al.  if you look at the arp packets it is 
scripts looking for responding ip addresses.  The IP addresses go

x.x.x.1
x.x.x.2
x.x.x.3.. etc

Its the Nimbda and like viruses looking for active IP addresses.  You 
can't tell the source IP address because the original user is doing a 
ping and the RR routers are attempting to resolve the IP address with a 
mac address on the RR network.  Hence the arp request (which means... 
"anyone listening if you are this IP address please respond to me with 
your mac address").

If you are running a web server you'll see that you still get hit with 
Nimbda attacks hourly.  Also if you are running an SMTP server you see 
attacks looking for open relay routers to use to send SPAM.  (I get 
tested at least twice a night mostly from china ip addresses).

So thank the Spammers, script kiddies and virus writers.  They are 
sucking up bandwith with their crap.

Nick Goldwater wrote:
>>Not sure what rr.com official help is gonna say since it's not causing
>>actual loss of connection yet,
> 
> 
> My connection has been lossy for the last couple weeks.
> 
> 
>>but over the last few days my cable
>>modem's activity light has been *on*.  Today I finally ran its
>>ethernet cable directly to my debian box instead of the linksys router
>>to tcpdump to see what's up, and it's a flood of arp traffic from
>>primarily one machine.  The machine's IP (24.74.136.1) makes me think
>>it's a router box for RR, so maybe it's just something they broke
>>mistakenly.
>>
>>Anyone hazard a guess as to what might be broken?  Or how to fix it? :)
> 
> 
> I noticed the activity light went ON after the Nimda virus went on it's
> rampage... Never went OFF after that... Do not know if it is connected or
> just a coincidence.
> 
> 
>>
>>So 78% of those packets were arp packets, with those 2 (router?)
>>machines dominating it.  Ugh.
>>
>>Help my poor cable modem! :)
>>


-- 
Steve Kuekes

Private Pilot: N9259R '95 Saratoga based at Sanford-Lee County Regional 
(TTA)
email: skuekes at nc.rr.com

More information about the TriLUG mailing list