[TCLUG] Anyone else seeing a flood of arp "who-has" requests on attbi.com?

Sun Oct 27 20:34:32 CST 2002

On Sun, Oct 27, 2002 at 06:20:33PM -0600, Steve Siegfried wrote:
> 
> Folks,
> 
> My ISP is <sigh> attbi.com.  For a while now, I've been flooded with arp
> "who-has" requests... up to 20/second in spurts and 1-2/second sustained
> for hours.  Most of the requesting boxes are various ATTBI.com routers or
> gateways, NOT client boxes.
> 
> Based on what tcpdump is telling me, most of the requests are for a very
> limited range of tcp-ip addresses.
> 
> Is anyone else seeing this?
> 
> Can anyone offer an explaination for why ATT is making what looks very
> much like continous sweeps to keep their ip address mapping up to date?
> 
> It almost looks like a DOS attack mounted by my ISP'idly,
> 

While it is bad for the network, it's not AT&T's fault.

The source is a variety of things:

1) people port scanning blocks of IP addreses.
2) [insert scanning exploit here] scanning huge blocks of IP's looking
for hosts to infect.

AT&T (sadly) blocked port 80 further out in their network, which reduces 
much of the arp storms that were caused by Code Red and it's variants, but
there are plenty of other things/people out there still scanning.

> -S

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203