Is my network getting attacked?

[njem]

Some strange behavior on the network at a non-profit so at a
suggestion I installed Wireshark to capture packets and I get strange
looking behavior. As a comparison I tried it on a couple of other
offices and don't get the same at all. Does this make sense to anyone
or can you point me to some hack-savvy forum where they might?

Below is about 30 lines of capture. On this Sat AM I have only the
server, a workstation, the router and the switch on. The other
stations have been off since the previous evening so all has had time
to get settled. The server, workstation, and router all keep sending
packets asking who has IP address x, and sending "name query" packets.
Then the switch keeps sending "Spanning tree" packets. I'm sure some
of this is normal on startup or periodic refresh but in this case it's
pretty much all the traffic over the course of this 14 second
snapshot.

Thanks,
Tom

No. Time Source Destination
Protocol Info
1 0.000000 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
2 0.016536 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
3 0.413167 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.222? Tell 192.168.0.52
4 0.415835 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
5 0.536137 Intel_e9:10:22 Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.100
6 2.063407 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
7 4.015436 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
8 4.066504 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
9 4.066561 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
10 6.015371 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
11 7.396657 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
12 7.418780 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
13 7.420473 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
14 7.455501 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
15 8.015308 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
16 8.162190 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
17 8.193556 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
18 8.419973 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
19 8.912166 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<20>
20 8.943526 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
21 9.420014 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
22 9.693746 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
23 10.015487 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
24 10.129539 192.168.0.1 192.168.0.100
NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
25 10.129594 192.168.0.100 192.168.0.1
NBNS Name query response NBSTAT
26 10.443487 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
27 10.444938 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
28 11.193463 192.168.0.52 192.168.0.255
NBNS Name query NB BOOKKEEPING<00>
29 11.445171 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
30 12.015422 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031
31 12.445126 Netgear_8c:1c:ea Broadcast
ARP Who has 192.168.0.63? Tell 192.168.0.1
32 13.396457 IntelCor_07:f5:7d Broadcast
ARP Who has 192.168.0.223? Tell 192.168.0.52
33 14.015358 Netgear_54:76:c1 Spanning-tree-(for-
bridges)_00 STP RST. Root = 32768/00:09:5b:54:76:c1 Cost = 0
Port = 0x8031

 

[njem]

I'm also copying this to a Win Servers forum.

 

[Lanwench [MVP - Exchange]]

Some strange behavior on the network at a non-profit so at a
suggestion I installed Wireshark to capture packets and I get strange
looking behavior. As a comparison I tried it on a couple of other
offices and don't get the same at all. Does this make sense to anyone
or can you point me to some hack-savvy forum where they might?

Below is about 30 lines of capture. On this Sat AM I have only the
server, a workstation, the router and the switch on. The other
stations have been off since the previous evening so all has had time
to get settled. The server, workstation, and router all keep sending
packets asking who has IP address x, and sending "name query" packets.
Then the switch keeps sending "Spanning tree" packets. I'm sure some
of this is normal on startup or periodic refresh but in this case it's
pretty much all the traffic over the course of this 14 second
snapshot.

Thanks,
Tom

<snip>

Is this network protected by a good-quality firewall appliance, or just a
simple NAT gateway/ consumer "router" ?
What's open/allowed inbound?
Any rogue computers connect on the LAN recently (e.g., visitor with laptop,
etc)?

microsoft.public.windows.security would be a good place to post (an updated
message)

 

[grimm]

I realize this is very late, but I found your post while looking up something
else. From what I can tell, you had a pretty average network on that day back
in August. In case you haven't determined all these things for yourself
already:

Networks that employ NetBIOS (or where one or more nodes employ NetBIOS,
perhaps inadvertently) are very chatty in this way. ("Where's BOOKKEEPING? I
need BOOKKEEPING for [a file share|a shared printer|etc.]." They also
periodically attempt to refresh each other's browse lists by yelling out,
"Look at me! I'm BOOKKEEPING, and I'm a [file server|printer server|etc.]!"

TCP/IP networks see lots of ARP traffic as the stations (servers,
workstations, printers, routers, managed switches, etc.) use it to parlay IP
addresses into Ethernet MAC addresses. (You'll note that they all go to the
network's broadcast address -- 192.168.0.255 -- which is how you, as a
TCP/IP speaker, shout out to all of the peers on your subnet.)

Finally, the STP messages you're seeing are basically your switches talking
to one another to prevent loops. Think "a person accidentally plugging one
switch port into another port on the same network segment" -- Ethernet
networks hate this, and STP is one method of preventing it. This happens more
often than you might think, especially if you have edge switches in
user-accessible places, and free wall jacks nearby: if the edge switch is
backhauled to a core switch via a wall jack, and there's another free wall
jack that connect to the same core switch, and a well-meaning user plugs a
second cable from the edge switch to the free wall jack...well...hilarity
ensures. Note that STP can't necessarily prevent all loops, depending upon
your network topology.


Hope that helps,

-grimm