Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 930
  • Last Modified:

PDC Offline (possible attack)

Our NT4 PDC is completely offline. We have tried replacing cables, NIC cards, and switches but to no avail. When I run Ethereal, I get a whole lot of this (192.168.1.3 being the address of our PDC):
------------------------------------------------------------------------------------------------------------------------------------
No.     Time        Source                Destination           Protocol Info
      9 0.000064    65369.1               0.255                 ZIP      GetNetInfo request

Frame 9 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     10 0.000069    65369.1               0.255                 ZIP      GetNetInfo request

Frame 10 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     11 0.000079    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 11 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     12 0.000087    65369.1               0.255                 ZIP      GetNetInfo request

Frame 12 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     13 0.000095    65369.1               0.255                 ZIP      GetNetInfo request

Frame 13 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     14 0.000881    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 14 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     15 0.000888    65369.1               0.255                 ZIP      GetNetInfo request

Frame 15 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     16 0.000897    65369.1               0.255                 ZIP      GetNetInfo request

Frame 16 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     17 0.000899    65369.1               0.255                 ZIP      GetNetInfo request

Frame 17 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     18 0.000908    65369.1               0.255                 ZIP      GetNetInfo request

Frame 18 (60 bytes on wire, 60 bytes captured)

No.     Time        Source                Destination           Protocol Info
     19 0.000913    65369.1               0.255                 ZIP      GetNetInfo request

Frame 19 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     20 0.000921    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 20 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     21 0.000929    65369.1               0.255                 ZIP      GetNetInfo request

Frame 21 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     22 0.000938    65369.1               0.255                 ZIP      GetNetInfo request

Frame 22 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     23 0.000943    65369.1               0.255                 ZIP      GetNetInfo request

Frame 23 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     24 0.000953    65369.1               0.255                 ZIP      GetNetInfo request

Frame 24 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     25 0.000959    65369.1               0.255                 ZIP      GetNetInfo request

Frame 25 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     26 0.000970    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 26 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     27 0.001746    65369.1               0.255                 ZIP      GetNetInfo request

Frame 27 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     28 0.001752    65369.1               0.255                 ZIP      GetNetInfo request

Frame 28 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     29 0.001760    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:b0:d0:78:9b:88, Dst: ff:ff:ff:ff:ff:ff
Address Resolution Protocol (request)

No.     Time        Source                Destination           Protocol Info
     30 0.001769    65369.1               0.255                 ZIP      GetNetInfo request

Frame 30 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     31 0.001776    65369.1               0.255                 ZIP      GetNetInfo request

Frame 31 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     32 0.001782    65369.1               0.255                 ZIP      GetNetInfo request

Frame 32 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     33 0.001799    65369.1               0.255                 ZIP      GetNetInfo request

Frame 33 (60 bytes on wire, 60 bytes captured)
 
No.     Time        Source                Destination           Protocol Info
     35 0.001818    192.168.1.3            Broadcast             ARP      Who has 192.168.1.121?  Tell 192.168.1.3
------------------------------------------------------------------------------------------------------------------------------------

It looks to me like some kind of attack, but I am not sure. Any ideas???
0
medium_grade
Asked:
medium_grade
  • 4
  • 4
1 Solution
 
MarkDozierCommented:
hy not bring it down. take it off line and promote the BDC to PDC.  then you have time to figure out what is happening.
Is there anything stopping you from do this? .
0
 
medium_gradeAuthor Commented:
My network admin replaced the nic and ran a repair on the OS. The PDC seems to be back online, but I am still getting tons of the aforementioned network traffic. Should I be worried?
0
 
MarkDozierCommented:
Are you using GetNet print servers?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
MarkDozierCommented:
   ZIP      GetNetInfo request
Zone Information Protocol (ZIP)  
This is related to Apple Talk routing protocol. So somewhere you have Apple talk running on something and it is broadcasting the GetNEtInfo request.

0
 
medium_gradeAuthor Commented:
I checked up on it and the only 3 apple computers that are ever on our network were offline. Is there any know attack that uses these kinds of packets?
0
 
medium_gradeAuthor Commented:
I read about a "ZIP Storm." According to the brief definition, a ZIP storm is "A network broadcast storm that occurs when a router running AppleTalk propagates a route for which it currently has no corresponding zone name. The route is then forwarded by any and all downstream routers, and a ZIP storm ensues."

Does that seem correct to anyone else?
0
 
medium_gradeAuthor Commented:
Also, what are those broadcast packets?

Here is a summary line from the first 1000 packets Ethereal picked up:
http://www.pennylane.org/EE/packets.xls

Let me know what you guys think.

--Dave
0
 
MarkDozierCommented:
It appears that I lost the part of my post that told you about the ARP packets.

ARP (Address Resolution Protocol)  broardcats are normal traffic on any network.

ARP converts an IP address to its corresponding physical network address. It is a low-level protocol (at layer 2 in the OSI model) usually implemented in the device drivers of network operating systems. ARP is most commonly seen on Ethernet networks, but ARP has also been implemented for ATM, Token Ring, and other physical networks. The first RFC discussing ARP (for Ethernet) was RFC 826.

Ethernet network adapters are produced with a physical address (called the Media Access Control or MAC address) embedded in the hardware. Manufacturers take care to ensure these 6-byte addresses are unique, and Ethernet relies on these unique identifiers for frame delivery. When an IP packet arrives at a network gateway, the gateway needs to convert the destination IP address to the appropriate MAC address so that it can be delivered over Ethernet. Some IP-to-MAC address mappings are maintained in an ARP cache, but if the given IP address does not appear there, the gateway will send an ARP request that is broadcast on the local subnet. The host with the given IP address sends an ARP reply to the gateway, who in turn delivers the packet (and updates its cache).

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now