From owner-freebsd-isp Wed Sep 19 20:19: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id F01EE37B414; Wed, 19 Sep 2001 20:18:50 -0700 (PDT) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.6/8.11.3) with ESMTP id f8K3Ik110903; Wed, 19 Sep 2001 20:18:47 -0700 (PDT) (envelope-from bri@sonicboom.org) Date: Wed, 19 Sep 2001 20:18:46 -0700 (PDT) From: Brian Whalen X-X-Sender: To: Tom ONeil Cc: Free , Subject: Re: EMERGENCY - Arp attack? Am I being DOS'd ? In-Reply-To: <3BA95D24.B5B737B9@tacni.com> Message-ID: <20010919201741.Q10874-100000@cx175057-a.ocnsd1.sdca.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org u r about to become the network guy, this is a classic symptom of a very widespread attack going on now. See www.cert.org for example. Brian "Sonic" Whalen Success = Preparation + Opportunity On Wed, 19 Sep 2001, Tom ONeil wrote: > > Network guy on vacation, pls help if you can. > Having major problems w/ my router getting overloaded. > > See below - BTW - gw is my router. > > # tcpdump -p | grep " arp " > tcpdump: listening on rl0 > 22:04:43.323267 arp who-has 216.178.158.211 tell > router-216-178-158-1.tacni.net > 22:04:43.398803 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:43.473615 arp who-has 216-178-189-15.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.623222 arp who-has 216.178.155.95 tell gw > 22:04:43.636589 arp who-has 216.178.188.168 tell gw > 22:04:43.679175 arp who-has 216.178.136.88 tell gw > 22:04:43.684980 arp who-has 216.178.135.108 tell gw > 22:04:43.758496 arp who-has 209.251.183.42 tell gw > 22:04:43.793178 arp who-has 216.178.155.158 tell gw > 22:04:43.832945 arp who-has 216-178-189-22.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.947669 arp who-has 216.178.155.26 tell gw > 22:04:43.989166 arp who-has 209.251.183.163 tell gw > 22:04:44.102455 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:44.279331 arp who-has 216.178.155.78 tell gw > 22:04:44.391065 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:44.666819 arp who-has 216.178.135.202 tell gw > 22:04:44.824443 arp who-has 216.178.155.92 tell gw > 22:04:44.977537 arp who-has 216.178.154.141 tell gw > 22:04:45.070651 arp who-has 216.178.136.2 tell gw > 22:04:45.116522 arp who-has 216.178.156.42 tell gw > 22:04:45.116901 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:45.296852 arp who-has 216.178.135.31 tell gw > 22:04:45.391056 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:45.558506 arp who-has 216.178.188.1 tell 216.178.188.14 > > > > > -- > Thomas J. ONeil tom.oneil@tacni.com > http://www.tacni.net > "National Power, Local Presence" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message