[TCLUG] Anyone else seeing a flood of arp "who-has" requests on attbi.com?

Sun Oct 27 22:22:34 CST 2002

from the few message boards I have scanned this is due to, at least in part,
the code red virus agressively scanning the local cable subnet.

LB

----- Original Message -----
From: "Steve Siegfried" <sos at zjod.net>
To: <tclug-list at mn-linux.org>
Sent: Sunday, October 27, 2002 6:20 PM
Subject: [TCLUG] Anyone else seeing a flood of arp "who-has" requests on
attbi.com?

>
> Folks,
>
> My ISP is <sigh> attbi.com.  For a while now, I've been flooded with arp
> "who-has" requests... up to 20/second in spurts and 1-2/second sustained
> for hours.  Most of the requesting boxes are various ATTBI.com routers or
> gateways, NOT client boxes.
>
> Based on what tcpdump is telling me, most of the requests are for a very
> limited range of tcp-ip addresses.
>
> Is anyone else seeing this?
>
> Can anyone offer an explaination for why ATT is making what looks very
> much like continous sweeps to keep their ip address mapping up to date?
>
> It almost looks like a DOS attack mounted by my ISP'idly,
>
> -S
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>