Published October 17th, 2004 by Jim O'Halloran
Finding Infected Machines
I found this tip on Everything SysAdmin for finding infected machines. By using tcpdump and a bit of Unix shell we can find the machines in the network sending the most ARP requests.
What’s one sign that a machine is infected with some kind of malware? How about a quick test to see which machines are ARPing the most?
ARP requests aren’t necessarily a sign of infection, but a machine that is ARPing a lot is connecting to a lot of different machines. Unless the machine in question is a server of some kind that’s probably something that should be investigated. Hence a list of machines which are ARPing a lot becomes a useful tool.
TomLimoncelli Says
Good point about servers… except servers actually don’t ARP all that much either. They snag the MAC address of the client from the first packet from the client, thus removing the need to send an ARP. At least I’ve always assumed they do. That would make a good experiement.
Oct 18th, 2004 at 6:14 am
Jim O'Halloran Says
Tom,
I teach a network security course, in one of the lectures we teach the students how to use packet capture tools. Even in our room which is disconnected from the main campus network we see a lot of ARP traffic (enough sometimes that its hard to see the data).
My recollection from watching the various captures is that the servers in the room seem to ARP each client IP before responding. Once ARPed, the MAC address should remain in the ARP cache, thus removing the need to ARP it again for a while. That being the case, then servers will probably ARP more than most normal workstations.
Of course what you’re saying also makes sense. Extract the source MAC address from the packet and store it in the ARP cache for a while to save sending an ARP request. Its possible though that the IP stack doesn’t do this because it would make it easier to poison the ARP cache. For example, you could send the server a packet with a spoofed IP address, and your own MAC and you’ll redirect traffic away from the IP’s original owner until the entry expires from the cache.
Now that I’ve thought about it in more detail, there’s advantages and disadvantages both ways. Might have to try the experiment and see which the kernel actually implements.
Jim.
Oct 18th, 2004 at 8:22 am