ARP flood

I found a machine on my network that was sending out 100's of thousands of ARP requests in seconds, basically flooding my network. It was sending out packets to each address in my subnet as follows:

10.10.1.1
10.10.1.2
xx.xx.xx.3
xx.xx.xx.4
xx.xx.2.1

and so forth. I just kept going and going.

I have turned off the machine and all is well now, I am wondering if the machine could have some sort of virus, or software on it that floods ARP requests. Also could this be caused by a switch aware packet sniffer? I guess what I am trying to determine is simply if this was malicious or a accident by the user.

I found alot of software that I feel should not of been installed by him, such as Snort, a key logger, packet builders and other various network auditing tools. Can anyone give me some good ideas on what I should be looking for, so that I can give my manager the facts. I dont want to sentece this person for somthing that may of been a accident...

What are my options?

Grey

How did you notice the problem / find the computer sending the requests?

Jussi


"LostNetworker" <(E-Mail Removed)> kirjoitti viestissä
news:4B81333B-6E2B-4D4E-9308-(E-Mail Removed)...
> I found a machine on my network that was sending out 100's of thousands of
ARP requests in seconds, basically flooding my network. It was sending out
packets to each address in my subnet as follows:
>
> 10.10.1.1
> 10.10.1.2
> xx.xx.xx.3
> xx.xx.xx.4
> xx.xx.2.1
>
> and so forth. I just kept going and going.
>
> I have turned off the machine and all is well now, I am wondering if the
machine could have some sort of virus, or software on it that floods ARP
requests. Also could this be caused by a switch aware packet sniffer? I
guess what I am trying to determine is simply if this was malicious or a
accident by the user.
>
> I found alot of software that I feel should not of been installed by him,
such as Snort, a key logger, packet builders and other various network
auditing tools. Can anyone give me some good ideas on what I should be
looking for, so that I can give my manager the facts. I dont want to sentece
this person for somthing that may of been a accident...
>
> What are my options?
>
> Grey

yes there is a virus out there that does 'floods' of netbios calls on the
network that is specific to WinXp. found it myself the hardway, it managed
to load itself while I was building a new system and didn't have Norton
installed yet.
Al
"LostNetworker" <(E-Mail Removed)> wrote in message
news:4B81333B-6E2B-4D4E-9308-(E-Mail Removed)...
> I found a machine on my network that was sending out 100's of thousands of
ARP requests in seconds, basically flooding my network. It was sending out
packets to each address in my subnet as follows:
>
> 10.10.1.1
> 10.10.1.2
> xx.xx.xx.3
> xx.xx.xx.4
> xx.xx.2.1
>
> and so forth. I just kept going and going.
>
> I have turned off the machine and all is well now, I am wondering if the
machine could have some sort of virus, or software on it that floods ARP
requests. Also could this be caused by a switch aware packet sniffer? I
guess what I am trying to determine is simply if this was malicious or a
accident by the user.
>
> I found alot of software that I feel should not of been installed by him,
such as Snort, a key logger, packet builders and other various network
auditing tools. Can anyone give me some good ideas on what I should be
looking for, so that I can give my manager the facts. I dont want to sentece
this person for somthing that may of been a accident...
>
> What are my options?
>
> Grey

Do you know what the virus is called? I would like to investigate this more before I pass judgement on the user.

I think you shouldn't pass the judgement on the user yet.
If he is doing this purposefully, it's unlikely that he would leave
those hacking tools running and leave for the day.

Also most of the key logs, hacking tools, are detected
as virus by good antivirus software. So if you already have, a good
antivirus
s/w, (symantec, mcafee...) latest (not older than a year) versions, and
all DAT files uptodate, such hacking tools would have been detected
as virus.
If it really not a virus, then suggest you one thing.
From those network auditing tools you found..
delete one of the files required by those tools (like. a dll)
to run. So that those tool won't run and give error.

Then after that user in on that client machine has spend enough time there
and left, check if that .dll file has been restored again. If it is then you
have a case.
But ofcourse you must make sure that it's really not a virus.

Sharad

"Grey" <(E-Mail Removed)> wrote in message
news:65675A26-C153-47CC-A8E9-(E-Mail Removed)...
> Do you know what the virus is called? I would like to investigate this
more before I pass judgement on the user.
>

it was the w32.welchia.worm (infected the dllhost file)
al
"Grey" <(E-Mail Removed)> wrote in message
news:65675A26-C153-47CC-A8E9-(E-Mail Removed)...
> Do you know what the virus is called? I would like to investigate this
more before I pass judgement on the user.
>