• Hey all,
    I have been dealing with a problem on a network for awhile now and can't
    seem to put my finger on it.

    About 3-4 times a day I get these floods that I believe are bootp floods. I installed darkstat and it is saying port 68 is about half the traffic when this happens. The other half is ICMP.

    I have etherreal, wireshark, darkstat, and some other tools all collecting
    data. I have several dumps if anyone is interested. The Mac addresses in
    the raw packets are almost always different. I do not seem to see a
    pattern. Etherreal reports both source and destination as The
    floods seem to be crossing routers. I have blocked all ICMP traffic at the
    router levels.

    Ideas, methods to track it down further or what it could be? If it is a
    "smurf" attack should i not see  the source or destination mac address?

    Thanks in advance,

  • are these floods at the same times as that you dhcp client leases are to be renewed?

  • no, leases are set to 7 days. This happens 2-3 times a day at least.

  • Looks like someone is doing some macflooding (see http://www.securesphere.net/download/papers/SwitchSniff.htm ):

    MAC Flooding
    Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result of this, a switch can intelligently route packets from one host to another, but it has a limited memory for this work. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch can't keep up. The switch then enters into what is known as a `failopen mode', wherein it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily. MAC flooding can be performed by using macof, a utility which comes with dsniff suite.

    [root@tachyon dhar]# macof
    77:6b:e1:6e:5e:8c 93:2d:ed:45:f9:e3 > S 1847390231:1847390231(0) win 512
    84:a4:d3:57:ef:8 12:56:52:42:dc:95 > S 1484147693:1484147693(0) win 512
    88:f0:9:3f:18:89 d:86:53:53:d7:f8 > S 293820390:293820390(0) win 512

Log in to reply