How to ARP your network in two easy steps

Brian Hawkins brianhks at activeclickweb.com
Fri Dec 29 11:45:48 MST 2006


This happened the other day at my work.  I thought it was kind of 
amusing.  When the ARP of death hit my laptop (win2k) hit about 60% 
utilization.  I noticed the lights on my dlink switch were going nuts 
with activity.  A quick look in wireshark revealed the network was being 
flooded with ARP's.  The computer from which the ARP o death originated 
(winXP) had locked up.  It actually no longer booted and we had to 
reinstall it.  Even after disconnecting the origin of the ARP from the 
network we were still flooded with the same ARP request.  A couple of 
other XP boxes kept flickering their display like they wanted to "blue 
screen" but couldn't make up their mind.  The linux machines seemed 
unaffected except for the network traffic.

So how did all of this take place you ask?

Recipe for ARP o Death
Take one trendnet switch and loop a cable back on itself.
Connect the above mentioned switch to the network and wait for some 
sucker to renew it's IP address.
Individual results may very

We had unplugged every computer from the network but we were still being 
flooded.  We found it by going to the wiring closet and unplugged 
segments until the traffic stopped.  The switch was in a conference room 
were someone had tried to plug in a device and grabbed the wrong cable.

Fun times at the office.
Brian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3347 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20061229/f9c62524/attachment.bin 


More information about the PLUG mailing list