2

I have been asked to remotely fix a family member's computer that is running "slow". I've had them run any number of S&D and AVG scans, even in safe mode, but they find nothing of interest. In using Remote Assistance to poke around, I installed Wireshark and discovered that the box is issuing up to 20 ARP requests per second, mostly for its local subnet (directly connected to WebSTAR 2000 USB cable modem) as seen in the graphic below.

The IP address at the time was 70.119.184.xx/255.255.240.0. The default gateway was 70.119.176.1 and the DHCP server was 10.212.0.1.

Is it possible this is legitimate traffic, or is this a symptom of a worm like WootBot trying to spread?

WireShark capture

EDIT: I think the machine is infected with Trojan.Opachki or something very like it.

EDIT: The ARP traffic is actually sourced elsewhere so it is not an issue with the machine in question. There was signs of an Opachki infection but I think that has been cleared up. I'll put him down for a router next Christmas.

Improve this question
3
  • To those voting to move to superuser, I posted it here because I wanted answers from people knowledgeable about ARP. I don't think I will find that kind of response on superuser.
    – Donald Byrd
    Commented Feb 7, 2010 at 2:42
  • 1
    How can your gateway be 10.212.0.1 if your network is 70.119.184.xx? Your machine would have to have a static route to the default gateway, which would make little sense... Is that really how it is setup? If so, what IP on the 70.119.184.xx network does it route through? It seems more likely from the sniffs that 70.119.176.1 is the default gateway as that would be first available IP in the 70.119.184.xx/20 subnet...
    – Scott Lundberg
    Commented Feb 7, 2010 at 3:49
  • Sorry, 10.212.0.1 is the DHCP server. I mispasted :(
    – Donald Byrd
    Commented Feb 7, 2010 at 4:51

3 Answers 3

Reset to default
4

Not to be a party pooper, but the size of the subnet is irrelevant to the number of ARP broadcasts per second. Just because a subnet is large enough for x number of hosts doesn't mean that a host will ARP for x number of ip addresses in that subnet. A host sends an ARP packet when it needs to send a packet to another host. The only time a host will ARP for x number of ip addresses in it's subnet (or a large number of ip addresses in it's subnet) is if it's scanning the ip address range for it's subnet (using an IP scanning program), it's infected with malware, or has a faulty NIC or NIC driver. At no other time does a host normally send a large number of ARP packets like what you're seeing. Additionally a host will not send an ARP packet for an ip address that's not on it's local subnet as it knows that the ip address is not local and that it needs to send it to it's default gateway, and therefore will not send an ARP packet for that ip address.

You have 5 hosts sending ARP packets on the network:

10.212.0.1 - This seems normal. This is the default gateway and there's only one ARP packet in your screenshot. The default gateway will send ARP packets in to the network when it needs to pass traffic to an internal host and that hosts' MAC address is not in it's ARP cache (like every other network device does).

24.170.135.1 - I don't understand this one. This is a non-local ip address. Where is it coming from? Do you have multiple networks bridged together? Do any of the computers have multiple NIC's connected to multiple networks or multiple connections, such as a VPN connection, etc.

24.233.137.1 - Again, this is a non-local ip adress.

70.119.248.1 - This is probably normal, although the ip addresses it's ARP'ing for seem a little out of place. They're in the same subnet but far separated from what I would consider a normal ip addressing scheme.

70.119.176.1 - This is the one that worries me as it's the one sending the bulk of the ARP packets. I suspect that this one is either performing a subnet scan for all ip adresses in the subnet, it's infected with malware, or it has a bad NIC or NIC driver.

ARP floods (which is what I believe you're dealing with) are not a normal condition in a network. ARP broadcasts exceeding about 3 -5 % of all network traffic is a very good indication that something is wrong.

EDIT

After re-reading your question with your recent edits, I have a different opinion of what's going on: if 70.119.176.1 is the default gateway for the network, and it's the one sending the bulk of the ARP requests for addresses in the subnet, then I'm thinking that someone external to you is performing an ip address\port scan against your network and your firewall is not blocking it. For every ip address being probed, your default gateway is sending an ARP request to try and find a host on the ip address being probed. Does your firewall, router, or modem have a log that you can look at?

I still don't understand where the 24.x.x.x addresses are coming from.

Improve this answer
4
  • Doh 10.212.0.1 default gateway was a typo, that is the DHCP server. I am sure that it is scanning the local subnet but for what reason (I never see other packets following up the scan) I don't know. I think it might be infected with Trojan.Opachki. Thanks for your feedback, it helped me to know this was not normal.
    – Donald Byrd
    Commented Feb 7, 2010 at 4:47
  • I doubt that the DHCP server is scanning the network. More than likely it's trying to respond to a DHCP lease renewal packet from the device at 10.212.14.2.
    – joeqwerty
    Commented Feb 7, 2010 at 5:18
  • +1 for the edit: I agree. The default router is looking for other nodes on the network to respond to it. Since your family member's computer is on that network, you will see the arp requests, but not necessarily the arp reply. The other mass-arper is also probably a worm of some kind. However since none of the traffic is being generated by your family member's computer, I would make sure that virus scanners and/or firewalls are up to date; otherwise I wouldn't worry.
    – David Mackintosh
    Commented Feb 7, 2010 at 15:10
  • @joeqwerty, you are right, I should have checked the MAC addresses. The ARP packet source is the default gateway, not the local machine's.
    – Donald Byrd
    Commented Feb 7, 2010 at 21:53
0

Well with the computer directly connected to the cable modem you're going to get a lot of background noise. Especially on a broadcast domain that's a /20 which can support around 4.1k hosts. I'm not familiar with this modem, is USB the only option to hook this up to a local host/network?

I always recommend that you put a router in between your network and a broadband connection. Even if the network consists of a single computer. NAT will drop any unsolicited traffic which will effectively work as a firewall keeping worms from being able to gain direct access to a computer. This is especially important when you're talking about a Windows PC.

Improve this answer
1
  • To be sure I would have never set it up that way, but it is beyond my control.
    – Donald Byrd
    Commented Feb 7, 2010 at 2:35
-1

20 ARP Per second is certainly in the range of normal background noise for the /20 subnet. I am suprised it is not higher. In general ARP requests are not by themself a sign of a worm trying to spread. You know just enough to be dangerouse but not enought yet to know how to look at network traffic. Keep at it and keep asking questions you will gain the insight to make real use of your tool kit.

Improve this answer
7
  • 1
    How condescending there @Joe, thanks for that. You sure know how to encourage others to ask questions. Seeing how you are so knowledgeable could you explain why the machine would be doing ARP lookups for so many addresses when it isn't trying to access them? The arp cache doesn't contain entries for any of these addresses.
    – Donald Byrd
    Commented Feb 7, 2010 at 2:41
  • @ongle: See my answer for an explanation.
    – joeqwerty
    Commented Feb 7, 2010 at 3:16
  • The size of the subnet is irrelevant to the number of ARP packets being sent on to the network. In addition, 20 ARP packets per second may not be normal. If those 20 ARP packets per second are in excess of 3 -5% of the total network traffic, I'd be a little worried about it.
    – joeqwerty
    Commented Feb 7, 2010 at 3:27
  • @joeqwerty: I don't agree that the size of the subnet is irrelevant. The more hosts on a local subnet, the more arps you will see. Take this example, if you assume each machine sends out 1 arp every 20 minutes (check for default gateway). On a fully loaded Class C network, you would see one ARP every ~5 seconds. Run that math for the 20 bit mask in the OP, and you are talking 3 ARPs every second.
    – Scott Lundberg
    Commented Feb 7, 2010 at 3:46
  • @Scott Lundberg: That's the key, the number of actual, physical hosts on the subnet. If my subnet allows for 4,096 hosts but I only have six hosts, then the size of the subnet is irrelevant to the amount of ARP traffic on my network. A larger subnet allows for the possibility of a larger broadcast domain but again, if I only have a few hosts then it really doesn't matter how large the subnet is. In the OP's case, I would doubt if there's more than a half dozen or so hosts on the network.
    – joeqwerty
    Commented Feb 7, 2010 at 3:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .