Subject: Re: ARP
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Ignatios Souvatzis <is@netbsd.org>
List: tech-net
Date: 04/01/2006 10:12:24
On Fri, Mar 31, 2006 at 01:29:20PM -0500, der Mouse wrote:
> >> 2006-03-31 07:52:08.858034 arp who-has 0.0.0.0 tell 88.xx.xx.xx
> >> 2006-03-31 07:52:08.858604 arp who-has 0.0.0.0 tell 88.xx.xx.xx
> > [T]his looks like backscatter from a misconfigured (or attacking)
> > machine that contacts the 88.xx.xx.xx using 0.0.0.0 as the source
> > address.
>
> How would that do it? 0.0.0.0 is off-net for 88.x.x.x unless the
> netmask is /1, /0, or noncontiguous (which are all pretty implausible),
> so it shouldn't even *be* ARPing for it, as far as I can see.
Well, it can't be an primary DOS attack either, as no machine would answer
to that... maybe some unprotected IP stack (in a printer or something
similar) that needs to be resetted?
Regards,
-is
--
seal your e-mail: http://www.gnupg.org/