virtual hub scanning network from unused ip range
Posted: Tue Nov 11, 2014 3:32 am
So trying to figure out what was scanning my network via ARP requests from a subnet I don't even use.
Is this mis-configuration? Has this software been compromised? Is it a bug? Is it normal operation?
I don't know but obviously something scanning the network is always cause for concern and investigation. That investigation led to the SoftEther server we are testing. Then digging deeper, let to the SoftEther software itself. Digging even deeper into that, to a virtual hub bridged with a nic card.
Here is an example of a tcpdump running on our network grep for 172.
As you can see its scanning our main subnet 192.168.142.0/24 from a subnet not in-use anywhere 172.x
Example
22:29:06.473046 ARP, Request who-has 192.168.142.113 tell 172.31.40.193, length 46
22:29:06.550568 ARP, Request who-has 192.168.142.117 tell 172.31.40.193, length 46
22:29:06.628793 ARP, Request who-has 192.168.142.119 tell 172.31.40.193, length 46
22:29:06.706933 ARP, Request who-has 192.168.142.124 tell 172.31.40.193, length 46
22:29:06.785111 ARP, Request who-has 192.168.142.133 tell 172.31.40.193, length 46
22:29:06.863126 ARP, Request who-has 192.168.142.136 tell 172.31.40.193, length 46
22:29:06.941288 ARP, Request who-has 192.168.142.170 tell 172.31.40.193, length 46
22:29:07.020368 ARP, Request who-has 192.168.142.180 tell 172.31.40.193, length 46
22:29:07.097809 ARP, Request who-has 192.168.142.190 tell 172.31.40.193, length 46
22:29:07.175731 ARP, Request who-has 192.168.142.207 tell 172.31.40.193, length 46
22:29:07.253809 ARP, Request who-has 192.168.142.221 tell 172.31.40.193, length 46
22:29:07.332498 ARP, Request who-has 192.168.142.222 tell 172.31.40.193, length 46
22:29:07.410131 ARP, Request who-has 192.168.142.223 tell 172.31.40.193, length 46
22:29:07.488213 ARP, Request who-has 192.168.142.241 tell 172.31.40.193, length 46
22:29:07.566861 ARP, Request who-has 192.168.142.242 tell 172.31.40.193, length 46
22:29:07.644489 ARP, Request who-has 192.168.142.248 tell 172.31.40.193, length 46
22:29:07.722717 ARP, Request who-has 192.168.142.249 tell 172.31.40.193, length 46
22:29:07.800882 ARP, Request who-has 192.168.142.250 tell 172.31.40.193, length 46
22:29:07.879093 ARP, Request who-has 192.168.142.251 tell 172.31.40.193, length 46
EDIT: I also see the same from another address when I connect and bride another virtual hub on the same box on a different vlan: 172.31.15.219
Is this mis-configuration? Has this software been compromised? Is it a bug? Is it normal operation?
I don't know but obviously something scanning the network is always cause for concern and investigation. That investigation led to the SoftEther server we are testing. Then digging deeper, let to the SoftEther software itself. Digging even deeper into that, to a virtual hub bridged with a nic card.
Here is an example of a tcpdump running on our network grep for 172.
As you can see its scanning our main subnet 192.168.142.0/24 from a subnet not in-use anywhere 172.x
Example
22:29:06.473046 ARP, Request who-has 192.168.142.113 tell 172.31.40.193, length 46
22:29:06.550568 ARP, Request who-has 192.168.142.117 tell 172.31.40.193, length 46
22:29:06.628793 ARP, Request who-has 192.168.142.119 tell 172.31.40.193, length 46
22:29:06.706933 ARP, Request who-has 192.168.142.124 tell 172.31.40.193, length 46
22:29:06.785111 ARP, Request who-has 192.168.142.133 tell 172.31.40.193, length 46
22:29:06.863126 ARP, Request who-has 192.168.142.136 tell 172.31.40.193, length 46
22:29:06.941288 ARP, Request who-has 192.168.142.170 tell 172.31.40.193, length 46
22:29:07.020368 ARP, Request who-has 192.168.142.180 tell 172.31.40.193, length 46
22:29:07.097809 ARP, Request who-has 192.168.142.190 tell 172.31.40.193, length 46
22:29:07.175731 ARP, Request who-has 192.168.142.207 tell 172.31.40.193, length 46
22:29:07.253809 ARP, Request who-has 192.168.142.221 tell 172.31.40.193, length 46
22:29:07.332498 ARP, Request who-has 192.168.142.222 tell 172.31.40.193, length 46
22:29:07.410131 ARP, Request who-has 192.168.142.223 tell 172.31.40.193, length 46
22:29:07.488213 ARP, Request who-has 192.168.142.241 tell 172.31.40.193, length 46
22:29:07.566861 ARP, Request who-has 192.168.142.242 tell 172.31.40.193, length 46
22:29:07.644489 ARP, Request who-has 192.168.142.248 tell 172.31.40.193, length 46
22:29:07.722717 ARP, Request who-has 192.168.142.249 tell 172.31.40.193, length 46
22:29:07.800882 ARP, Request who-has 192.168.142.250 tell 172.31.40.193, length 46
22:29:07.879093 ARP, Request who-has 192.168.142.251 tell 172.31.40.193, length 46
EDIT: I also see the same from another address when I connect and bride another virtual hub on the same box on a different vlan: 172.31.15.219