I'm a dsl customer and I'm also seeing a lot of attempts to spread the code red I and II worms. After noticing that my dsl modem was flickering constantly even after powering down all of my connected computers I became curious and fired up nuke nabber which displayed the signature for the code red worm coming in on port 80. I watched for a while and also noticed that the activity lights on my dsl modem were flickering much more frequently than any requests being reported by nuke nabber. I then installed a packet sniffer so I could take a closer look at what was going on. Here's where I get in over my head...
I see constant ARP broadcasts with MAC addresses. I don't really know much about this and am not sure how to interpret what's going on. Can anyone suggest some good resources that might help me decypher this traffic? I wondered if it was perhaps my service provider broadcasting the DHCP address (I'm sure my ignorance of this subject matter is now glaring...) but from my research on how DHCP works I don't think this is what's happening. Any suggested references or information would be greatly appreciated.
Slashdot Mirror
I'm a dsl customer and I'm also seeing a lot of attempts to spread the code red I and II worms. After noticing that my dsl modem was flickering constantly even after powering down all of my connected computers I became curious and fired up nuke nabber which displayed the signature for the code red worm coming in on port 80. I watched for a while and also noticed that the activity lights on my dsl modem were flickering much more frequently than any requests being reported by nuke nabber. I then installed a packet sniffer so I could take a closer look at what was going on. Here's where I get in over my head...
I see constant ARP broadcasts with MAC addresses. I don't really know much about this and am not sure how to interpret what's going on. Can anyone suggest some good resources that might help me decypher this traffic? I wondered if it was perhaps my service provider broadcasting the DHCP address (I'm sure my ignorance of this subject matter is now glaring...) but from my research on how DHCP works I don't think this is what's happening. Any suggested references or information would be greatly appreciated.
Thanks,
Aexion