Arp Flood (DDoS?)

B

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
Have you guys ever seen this situation.


We are having a large number of computers request ARP resolutions constantly, they are all valid addresses of computers on the network but its causing the network to slow down. So far windows is handeling it alright but all of our jetdriect cards of crying foul and can't get their work done at all.


Also task manager in windows (it seems to be the ligit one) is opening a lot of ports in the 4xxx range, they are consecutive ports as well. Also I've seen a lot of listning to and connections to computers on the emap port (as reported via tcpview)

When I say we are getting a lot of arp packet Its around 37000 packets in 30 seconds and 99.7 of them are arp. This is reported via Ethereal (10.x)


What is this? We run Etrus antivrus 7 and most to all the systems are udated to the new patterns, we set it to update but it does't always work (service issues)

anyone seen this?
 
do you run any bandwidth monitoring solutions on a site wide basis? I have seen things like this before when a computer has had a faulty NIC in it and starts freaking out traffic on the network.

I also have seen viruses cause almost similar results (arp flooding, but not all the open ports :confused: )...soo I dunno....I would want to see some type of bandwidth monitoring and see if this is coming from a specific host or see if you can someone boil it down to some source.
 
lol 37k in 30seconds is .. umm, yeah ... wow.

check your arp age times on your routers, on your windows boxes, im sure there is a virus.

a lot of viruii will sequencially do arps to find other machines on the network

do you find them doing random arp lookups? or are they in a row.

ie.

10.0.0.1, then .2, then .3 etc.
 
We had that same situation on our campus recently, we had to use ethereal sniff out the computers sending out tons of ARP requests. Most ended up being some kinda of spybot worm on the computers...i can't remember exactally ill edit this later with more info for ya if you want. :)
 
We found it after much work, No virus at all!


Actually we had a cisco 3500 XL Die, no arp requrests were being filled and there was about 50+ computers that suddenly dided, worst of all a lot of them, includeing sources that provided routes to get to the interent just disappeared all at once! So it turns out that the 200+ something computers that were still there were looking for services that didn't exists so they were just ARPing away and killed the network. Once we got rid of all client computers the printers sprang back to life, Once we isolated and replaced the switch the network is fine again.


Thanks for the suggestions.
 
SYN ACK said:
why was a 3550 responding to arps in the first place?
Click to expand...

Proxy Arp does have its benefits in certain scenarios. Maybe his network was one of them? Although if they'd upgrade the IOS image to EMI they'd be able to route subnets, which I think could have prevented this from ever happening.
 
sounds like somebody on the network is trying to do arp poisoning to redirect traffic. i do this at my college to fuck around with people i dont like. its how you can run sniffers on switching networks. if you try to redirect too much traffic it could cause a DoS
 
I figured it was a faulty piece of equipment somewhere.

When I first started working where I am now, we had a power surge one day that was apparently too strong for some of the surge protectors on some of the machines. It whacked out the network cards, and they started flooding the network with all kinds of traffic, all of it broadcast. Generated so much damn traffic that it hard locked a Cisco Aironet 1200 and several high-end servers. I've never seen anything like it, except in a switching loop.
 
We have another one today, all the switches seem fine. The are valid Arp broadcast requests I just don't know why the hell there are so many. I see tons of requests but not replies, the screwed thing about this network is that we have NO access to IOS. Not that I understand it but I can trouble shoot my butt off and without that knowledge I can't do jack. Right now I'm goin to go to each computer and check what and why if I can (I'm grounded so to speak) I can't leave the school today, my boss is mad at me I'll post about that (relly us the whole tech dept).


GAh this sucks but at least I'm getting paid for it, not more that minimum wage but pay.


Oh and to the guy that syas he does this to people he doesn't like, I dislike you because this is just mean, don't make admins life harder because someone didn't buy you a valentines day card (ok that was harsh but I'm loosing my cool)


Later all, if you have any suggestions as to why its happening and keeps reoccuring sometimes, let me know.
 
We found something on the net, I don't have the link but when I get it I'll give it to you. Its a virus, Currently etrust antivirus will not dected it, I'm in the process of sending the sample.


The file is taksmgr.exe NOT TO BE CONFUESED WITH taskmgr.exe, This little bugger is EVIL! You cannot search for it via windows search it will not see it less you scan the directory its in (%systemroot%\system32) search via the command line with dir /a/s

Thats how we were told and we found it. this thing is giving me a headace
 
bigstusexy said:
We found something on the net, I don't have the link but when I get it I'll give it to you. Its a virus, Currently etrust antivirus will not dected it, I'm in the process of sending the sample.


The file is taksmgr.exe NOT TO BE CONFUESED WITH taskmgr.exe, This little bugger is EVIL! You cannot search for it via windows search it will not see it less you scan the directory its in (%systemroot%\system32) search via the command line with dir /a/s

Thats how we were told and we found it. this thing is giving me a headace
Click to expand...

email a copy of it to me ill see if symantec can detect it. zip it up and password protect it so hotmail's virus scanner wont pick it up.

[email protected]
 
acascianelli said:
sounds like somebody on the network is trying to do arp poisoning to redirect traffic. i do this at my college to fuck around with people i dont like. its how you can run sniffers on switching networks. if you try to redirect too much traffic it could cause a DoS
Click to expand...

first of all: cain?

and second, in reply to the message right above: you call yourself a person an you are running symantec? i mean, seeriously, if etrust won't detect it, you think that they will? waste of time. just try an online scanner like panda active scan, or better yet, download a free, less mainstream virus scanner which IS NOT BEING SPECIFICALLY TARGETED BY SCRIPTERS. http://free.grisoft.com/freeweb.php/doc/2/ its never had anything that it couldnt remove, and no subscription rape.
 
"taksmgr.exe" is the Rbot-QK worm. it also goes by the name Sdbot, which is a fairly common and recent virus. and yes it is in symantecs database and i think its pretty shitty of etrust not to have such a common virus in its database.
 
You are correct, I just got the final reply from CA, basically it says that by other virus pattern makers its called:

(Backdoor.Win32.Rbot.gen) (W32/Sdbot.worm.gen.p)


Etrust 6.1 upgrade
Etruest 6.2 they will contact use
Etrust 7... its not even listed,

We run 7.0.139 and its slipping all over, it didn't spread that much but did cause some havoc, we cleaned it manually. There might be others on the network as well but everything look alright for now. I can't stand this, why have a server that tells our clients to update everyday if the patterns don't detect stuff, most boxes have almost the latest update, and I'm makeing a batch to force them to udate (sometimes you have to stop the services install the updates and restart the services) but if they don't keep pace with other stuff like the soho based companies then what good is it?


Also I'm seing suspicious traffic like cleint PCs that are broadcasting via UDP to everything (255.255.255.255) and port 401. I have no clue right now what that is, I'm a bit busy working on other things and documentation blah! I wonder if its replicating like that or if its sending a control signal or something.
 
i extracted the file you sent me but there was nothing in the archive
 
Are you sure you virus program didn't get rid of it? CA had no problems with the file, the passwrod was virus, it was zipped with 7zip but made to be pkzip compatiable.
 
CA sent us an email this morning saying that they now include this as something to scan for. As usual of the last two letters they speak of version 6.2 and 6.1 but say nothing about 7... maybe I'm just missing something.


If any of you guys get hit with this here is something else you'll need to know:


This could be just our infection but the virus also removes something from the computer that drives you nuts if you don't know. Under the local policy check

Local Policies\User Rights Assingment\Access this computer from the network

This should say something like Administrators,Power users, Backup users etc etc. This key after infection says nothing, this will stop EVERYONE from remotely accessing services on this computer. I haven't searched to find the registry key for quick restoration of the proper users, I have just added authenticated users, for now, this may not be wise but make sure you at least add administrators back so they can access shares and view resources remotely.
 
You must log in or register to reply here.
Back
Top