[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Weird ARP Replies, maybe exploit?
From:       "Marksteiner, Stefan" <stefan.marksteiner () joanneum ! at>
Date:       2005-05-31 15:45:11
Message-ID: 3477C5E5CA395A4F897F6E3D5DE8091A01142668 () RZJC2EX ! jr1 ! local
[Download RAW message or body]


Hi all,

 
I have a series of weird ARP-Replies flooding our network. 

Although there seem (regarding to a sniffer-session via a mirror port)
to be no ARP-Requests at all, several thousand Replies a day go from the
MAC and IP (in both the Frame Header and Payload) of an Enterasys
Vertical Horizon Switch Stack (which I'm almost sure it's not the true
sender) to a Broadcast IP and MAC (also header & payload).
 
Of course our IDS fires alarms all the time because a ARP-Reply to a
Broadcast normally shouldn't occur.

The most interesting thing is that there seem to be HTTP-Requests in the
Padding (of course this really confuses me) of each frame.

The HTTP-codes look like: "GET /mall/", "GET /mall/stuv", etc. which
occasionally appear between non-printable code in the padding. It almost
looks like some HTTP-packet was split and stuffed into the padding of
the certainly false replies.


Could this be part of an exploit or severe configuration fault?

I'm grateful for any clues in this case.

 
 

Sincerely,
Steve

[prev in list] [next in list] [prev in thread] [next in thread]