[Gllug] Someone is using the broadcast address!!

Hong Chyr hongchyr at yahoo.co.uk
Fri Oct 12 08:38:21 UTC 2007 

Hi Rich
   
  Thanks for the reply. Tried your suggestion. In fact, we just found out that the IP address is the network's broadcast address (netmask = 255.255.252.0).
   
  Is there a way to stop or isolate the virus from making use of the broadcast mechanism?
   
  Hong

Richard Jones <rich at annexia.org> wrote:
  On Fri, Oct 12, 2007 at 02:44:26PM +0800, Hong Chyr wrote:
> I'm helping a friend troubleshooting this strange problem. He manages a 
> network that is extremely chaotic and virus ridden. One particular IP 
> address is identified as the major source of attack, 10.104.3.255. This 
> device is using the broadcast address and seem to be knocking on 
> everyone's doors to propagate worms.
> 
> If we ping the address, another IP address will respond in its place. 
> Question now is, how can we trace the IP to the machine? To add to the 
> difficulty, none of the switches are managed, ie, there's no packet 
> statistics to identify which port is flooding the network.
> 
> Any ideas?

If you look in the arp table (/sbin/arp -an) can you map any of these
IP addresses to a particular MAC address? If so then you should be
able to work out the manufacturer of the machine / network card /
device from the MAC address. I believe that nmap automates this.

Although the switches aren't managed, do any give any sort of MAC-to-
port mapping?

How about looking at the lights on the switches to see which one
is flashing the most?

Rich.

-- 
Richard Jones

-- 
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


       
---------------------------------
 Yahoo! Answers - Get better answers from someone who knows. Tryit now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20071012/8583937e/attachment.html>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list