[Gllug] Someone is using the broadcast address!!

[Richard Jones]

On Fri, Oct 12, 2007 at 02:44:26PM +0800, Hong Chyr wrote:
> I'm helping a friend troubleshooting this strange problem. He manages a 
> network that is extremely chaotic and virus ridden. One particular IP 
> address is identified as the major source of attack, 10.104.3.255. This 
> device is using the broadcast address and seem to be knocking on 
> everyone's doors to propagate worms.
> 
> If we ping the address, another IP address will respond in its place. 
> Question now is, how can we trace the IP to the machine? To add to the 
> difficulty, none of the switches are managed, ie, there's no packet 
> statistics to identify which port is flooding the network.
> 
> Any ideas?

If you look in the arp table (/sbin/arp -an) can you map any of these
IP addresses to a particular MAC address?  If so then you should be
able to work out the manufacturer of the machine / network card /
device from the MAC address.  I believe that nmap automates this.

Although the switches aren't managed, do any give any sort of MAC-to-
port mapping?

How about looking at the lights on the switches to see which one
is flashing the most?

Rich.

-- 
Richard Jones

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug