Date: Wed, 19 Sep 2001 20:18:46 -0700 (PDT) From: Brian Whalen <bri@sonicboom.org> To: Tom ONeil <tom.oneil@tacni.com> Cc: Free <freebsd-isp@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: EMERGENCY - Arp attack? Am I being DOS'd ? Message-ID: <20010919201741.Q10874-100000@cx175057-a.ocnsd1.sdca.home.com> In-Reply-To: <3BA95D24.B5B737B9@tacni.com>
next in thread | previous in thread | raw e-mail | index | archive | help
u r about to become the network guy, this is a classic symptom of a very widespread attack going on now. See www.cert.org for example. Brian "Sonic" Whalen Success = Preparation + Opportunity On Wed, 19 Sep 2001, Tom ONeil wrote: > > Network guy on vacation, pls help if you can. > Having major problems w/ my router getting overloaded. > > See below - BTW - gw is my router. > > # tcpdump -p | grep " arp " > tcpdump: listening on rl0 > 22:04:43.323267 arp who-has 216.178.158.211 tell > router-216-178-158-1.tacni.net > 22:04:43.398803 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:43.473615 arp who-has 216-178-189-15.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.623222 arp who-has 216.178.155.95 tell gw > 22:04:43.636589 arp who-has 216.178.188.168 tell gw > 22:04:43.679175 arp who-has 216.178.136.88 tell gw > 22:04:43.684980 arp who-has 216.178.135.108 tell gw > 22:04:43.758496 arp who-has 209.251.183.42 tell gw > 22:04:43.793178 arp who-has 216.178.155.158 tell gw > 22:04:43.832945 arp who-has 216-178-189-22.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.947669 arp who-has 216.178.155.26 tell gw > 22:04:43.989166 arp who-has 209.251.183.163 tell gw > 22:04:44.102455 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:44.279331 arp who-has 216.178.155.78 tell gw > 22:04:44.391065 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:44.666819 arp who-has 216.178.135.202 tell gw > 22:04:44.824443 arp who-has 216.178.155.92 tell gw > 22:04:44.977537 arp who-has 216.178.154.141 tell gw > 22:04:45.070651 arp who-has 216.178.136.2 tell gw > 22:04:45.116522 arp who-has 216.178.156.42 tell gw > 22:04:45.116901 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:45.296852 arp who-has 216.178.135.31 tell gw > 22:04:45.391056 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:45.558506 arp who-has 216.178.188.1 tell 216.178.188.14 > > > > > -- > Thomas J. ONeil tom.oneil@tacni.com > http://www.tacni.net > "National Power, Local Presence" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919201741.Q10874-100000>