Solved

PDC Offline (possible attack)

Posted on 2004-08-23
11
914 Views
Last Modified: 2008-01-09
Our NT4 PDC is completely offline. We have tried replacing cables, NIC cards, and switches but to no avail. When I run Ethereal, I get a whole lot of this (192.168.1.3 being the address of our PDC):
------------------------------------------------------------------------------------------------------------------------------------
No.     Time        Source                Destination           Protocol Info
      9 0.000064    65369.1               0.255                 ZIP      GetNetInfo request

Frame 9 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     10 0.000069    65369.1               0.255                 ZIP      GetNetInfo request

Frame 10 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     11 0.000079    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 11 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     12 0.000087    65369.1               0.255                 ZIP      GetNetInfo request

Frame 12 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     13 0.000095    65369.1               0.255                 ZIP      GetNetInfo request

Frame 13 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     14 0.000881    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 14 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     15 0.000888    65369.1               0.255                 ZIP      GetNetInfo request

Frame 15 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     16 0.000897    65369.1               0.255                 ZIP      GetNetInfo request

Frame 16 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     17 0.000899    65369.1               0.255                 ZIP      GetNetInfo request

Frame 17 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     18 0.000908    65369.1               0.255                 ZIP      GetNetInfo request

Frame 18 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     19 0.000913    65369.1               0.255                 ZIP      GetNetInfo request

Frame 19 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     20 0.000921    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 20 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     21 0.000929    65369.1               0.255                 ZIP      GetNetInfo request

Frame 21 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     22 0.000938    65369.1               0.255                 ZIP      GetNetInfo request

Frame 22 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     23 0.000943    65369.1               0.255                 ZIP      GetNetInfo request

Frame 23 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     24 0.000953    65369.1               0.255                 ZIP      GetNetInfo request

Frame 24 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     25 0.000959    65369.1               0.255                 ZIP      GetNetInfo request

Frame 25 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     26 0.000970    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 26 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     27 0.001746    65369.1               0.255                 ZIP      GetNetInfo request

Frame 27 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     28 0.001752    65369.1               0.255                 ZIP      GetNetInfo request

Frame 28 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     29 0.001760    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     30 0.001769    65369.1               0.255                 ZIP      GetNetInfo request

Frame 30 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     31 0.001776    65369.1               0.255                 ZIP      GetNetInfo request

Frame 31 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     32 0.001782    65369.1               0.255                 ZIP      GetNetInfo request

Frame 32 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     33 0.001799    65369.1               0.255                 ZIP      GetNetInfo request

Frame 33 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     35 0.001818    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3
------------------------------------------------------------------------------------------------------------------------------------

It looks to me like some kind of attack, but I am not sure. Any ideas???
0
Comment
Question by:medium_grade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
11 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11877694
hy not bring it down. take it off line and promote the BDC to PDC.  then you have time to figure out what is happening.
Is there anything stopping you from do this? .
0
 

Author Comment

by:medium_grade
ID: 11877863
My network admin replaced the nic and ran a repair on the OS. The PDC seems to be back online, but I am still getting tons of the aforementioned network traffic. Should I be worried?
0
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11878498
Are you using GetNet print servers?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:MarkDozier
ID: 11878598
   ZIP      GetNetInfo request
Zone Information Protocol (ZIP)  
This is related to Apple Talk routing protocol. So somewhere you have Apple talk running on something and it is broadcasting the GetNEtInfo request.

0
 

Author Comment

by:medium_grade
ID: 11882472
I checked up on it and the only 3 apple computers that are ever on our network were offline. Is there any know attack that uses these kinds of packets?
0
 

Author Comment

by:medium_grade
ID: 11883404
I read about a "ZIP Storm." According to the brief definition, a ZIP storm is "A network broadcast storm that occurs when a router running AppleTalk propagates a route for which it currently has no corresponding zone name. The route is then forwarded by any and all downstream routers, and a ZIP storm ensues."

Does that seem correct to anyone else?
0
 

Author Comment

by:medium_grade
ID: 11883470
Also, what are those broadcast packets?

Here is a summary line from the first 1000 packets Ethereal picked up:
http://www.pennylane.org/EE/packets.xls

Let me know what you guys think.

--Dave
0
 
LVL 8

Accepted Solution

by:
MarkDozier earned 500 total points
ID: 11887880
It appears that I lost the part of my post that told you about the ARP packets.

ARP (Address Resolution Protocol)  broardcats are normal traffic on any network.

ARP converts an IP address to its corresponding physical network address. It is a low-level protocol (at layer 2 in the OSI model) usually implemented in the device drivers of network operating systems. ARP is most commonly seen on Ethernet networks, but ARP has also been implemented for ATM, Token Ring, and other physical networks. The first RFC discussing ARP (for Ethernet) was RFC 826.

Ethernet network adapters are produced with a physical address (called the Media Access Control or MAC address) embedded in the hardware. Manufacturers take care to ensure these 6-byte addresses are unique, and Ethernet relies on these unique identifiers for frame delivery. When an IP packet arrives at a network gateway, the gateway needs to convert the destination IP address to the appropriate MAC address so that it can be delivered over Ethernet. Some IP-to-MAC address mappings are maintained in an ARP cache, but if the given IP address does not appear there, the gateway will send an ARP request that is broadcast on the local subnet. The host with the given IP address sends an ARP reply to the gateway, who in turn delivers the packet (and updates its cache).

0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question