News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: Report: Possible problem with malware ARP spoofing on certain hardware?
Pages: [1]
Topic: Report: Possible problem with malware ARP spoofing on certain hardware?  (Read 1386 times)
« on: June 06, 2007, 11:23:12 »
nobody *
Posts: 4
Hi,

I believe I may have found a problem that may or may not be about m0n0wall; unfortunately, it seems to be very elaborate, especially if my writing isn't clear (sorry).

At most, this is probably just 'reporting.'


In summary:

One of the computers on LAN, running Windows XP, appears to be affected by malware that probably does ARP poisoning (which I'm probably wrong about).  (The ARP table will have the same hostname listed for all computers under LAN, even after clearing it.)  Strangely, in spite of swapping out for various cards and RAM (xl, fxp, rtl8139), it turns out that the problems disappear when changing motherboards -- specifically from an eMachines integrated i810, to an AOpen i440BX.  (The eMachines ran fine when used for video capture.)

(DNS servers in 'General setup' were also switched to Level3 (4.2.2.1 - 4.2.2.6?) and old GTE (Verizon) addresses (206.124.64.253, 206.124.65.253); no difference.)


More specifically:

There were the symptoms described in (/kernel: arp:) Spamming - network loop? and m0n0wall having frequent failures on different hardware, affecting all other computers on LAN, regardless of their OS or level of protection (additional requests to 4255.biz, 9166.biz, s???.cnzz.com, etc. when browsing some websites relatively closed (e.g. mozilla.org) -- this is seen on a separate machine, NT 4.0 SP6 with Kerio PFW, detached NetBIOS / SMB on TCP/IP, etcetera).
Quote
Jun 5 21:31:27    kernel: arp: 192.168.144.111 moved from 00:d0:b7:8f:17:c4 to 00:50:ba:8f:d0:e9 on fxp0
Jun 5 21:31:17    kernel: arp: 192.168.144.111 moved from 00:d0:b7:8f:17:c4 to 00:50:ba:8f:d0:e9 on fxp0
(and so on)
and also having m0n0wall (and the entire WAN connections in general) working "just fine" for 1-2 days, then eventually ceasing to work, similarly to the above.  (remote syslogd wasn't particularly useful.)

Also, blocking the addresses in question (either through DNS forwarder or firewall rules) doesn't seem to have a great effect, as the ARP table stuff seems to take precedence (and meanwhile severely reduced performance -- ~200 kbps now, vs. < 6000 kbps nominal).


If anything, I'm not sure where this post is supposed to go, esp. if switching to a separate board appeared to solve the problem (apparently not feasible for 4801, etc.), although I do highly believe that the above two posts were due to this issue.  (I suppose I could also try some more testing, using different firewall software or something, if needed?)

Any thoughts?


--
"nobody"
(edits: DNS, clarity of arrangement, subject)
« Last Edit: June 06, 2007, 11:37:25 by nobody »
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines