Solved

PDC Offline (possible attack)

Posted on 2004-08-23
11
896 Views
Last Modified: 2008-01-09
Our NT4 PDC is completely offline. We have tried replacing cables, NIC cards, and switches but to no avail. When I run Ethereal, I get a whole lot of this (192.168.1.3 being the address of our PDC):
------------------------------------------------------------------------------------------------------------------------------------
No.     Time        Source                Destination           Protocol Info
      9 0.000064    65369.1               0.255                 ZIP      GetNetInfo request

Frame 9 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     10 0.000069    65369.1               0.255                 ZIP      GetNetInfo request

Frame 10 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     11 0.000079    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 11 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     12 0.000087    65369.1               0.255                 ZIP      GetNetInfo request

Frame 12 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     13 0.000095    65369.1               0.255                 ZIP      GetNetInfo request

Frame 13 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     14 0.000881    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 14 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     15 0.000888    65369.1               0.255                 ZIP      GetNetInfo request

Frame 15 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     16 0.000897    65369.1               0.255                 ZIP      GetNetInfo request

Frame 16 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     17 0.000899    65369.1               0.255                 ZIP      GetNetInfo request

Frame 17 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     18 0.000908    65369.1               0.255                 ZIP      GetNetInfo request

Frame 18 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     19 0.000913    65369.1               0.255                 ZIP      GetNetInfo request

Frame 19 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     20 0.000921    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 20 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     21 0.000929    65369.1               0.255                 ZIP      GetNetInfo request

Frame 21 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     22 0.000938    65369.1               0.255                 ZIP      GetNetInfo request

Frame 22 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     23 0.000943    65369.1               0.255                 ZIP      GetNetInfo request

Frame 23 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     24 0.000953    65369.1               0.255                 ZIP      GetNetInfo request

Frame 24 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     25 0.000959    65369.1               0.255                 ZIP      GetNetInfo request

Frame 25 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     26 0.000970    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 26 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     27 0.001746    65369.1               0.255                 ZIP      GetNetInfo request

Frame 27 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     28 0.001752    65369.1               0.255                 ZIP      GetNetInfo request

Frame 28 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     29 0.001760    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     30 0.001769    65369.1               0.255                 ZIP      GetNetInfo request

Frame 30 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     31 0.001776    65369.1               0.255                 ZIP      GetNetInfo request

Frame 31 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     32 0.001782    65369.1               0.255                 ZIP      GetNetInfo request

Frame 32 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     33 0.001799    65369.1               0.255                 ZIP      GetNetInfo request

Frame 33 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     35 0.001818    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3
------------------------------------------------------------------------------------------------------------------------------------

It looks to me like some kind of attack, but I am not sure. Any ideas???
0
Comment
Question by:medium_grade
  • 4
  • 4
11 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11877694
hy not bring it down. take it off line and promote the BDC to PDC.  then you have time to figure out what is happening.
Is there anything stopping you from do this? .
0
 

Author Comment

by:medium_grade
ID: 11877863
My network admin replaced the nic and ran a repair on the OS. The PDC seems to be back online, but I am still getting tons of the aforementioned network traffic. Should I be worried?
0
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11878498
Are you using GetNet print servers?
0
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11878598
   ZIP      GetNetInfo request
Zone Information Protocol (ZIP)  
This is related to Apple Talk routing protocol. So somewhere you have Apple talk running on something and it is broadcasting the GetNEtInfo request.

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:medium_grade
ID: 11882472
I checked up on it and the only 3 apple computers that are ever on our network were offline. Is there any know attack that uses these kinds of packets?
0
 

Author Comment

by:medium_grade
ID: 11883404
I read about a "ZIP Storm." According to the brief definition, a ZIP storm is "A network broadcast storm that occurs when a router running AppleTalk propagates a route for which it currently has no corresponding zone name. The route is then forwarded by any and all downstream routers, and a ZIP storm ensues."

Does that seem correct to anyone else?
0
 

Author Comment

by:medium_grade
ID: 11883470
Also, what are those broadcast packets?

Here is a summary line from the first 1000 packets Ethereal picked up:
http://www.pennylane.org/EE/packets.xls

Let me know what you guys think.

--Dave
0
 
LVL 8

Accepted Solution

by:
MarkDozier earned 500 total points
ID: 11887880
It appears that I lost the part of my post that told you about the ARP packets.

ARP (Address Resolution Protocol)  broardcats are normal traffic on any network.

ARP converts an IP address to its corresponding physical network address. It is a low-level protocol (at layer 2 in the OSI model) usually implemented in the device drivers of network operating systems. ARP is most commonly seen on Ethernet networks, but ARP has also been implemented for ATM, Token Ring, and other physical networks. The first RFC discussing ARP (for Ethernet) was RFC 826.

Ethernet network adapters are produced with a physical address (called the Media Access Control or MAC address) embedded in the hardware. Manufacturers take care to ensure these 6-byte addresses are unique, and Ethernet relies on these unique identifiers for frame delivery. When an IP packet arrives at a network gateway, the gateway needs to convert the destination IP address to the appropriate MAC address so that it can be delivered over Ethernet. Some IP-to-MAC address mappings are maintained in an ARP cache, but if the given IP address does not appear there, the gateway will send an ARP request that is broadcast on the local subnet. The host with the given IP address sends an ARP reply to the gateway, who in turn delivers the packet (and updates its cache).

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now