There is progress. The suspect traffic turns out to be *from* port 443, not to it as I had erroneously believed my sniffer to be indicating. I've also now captured the bogie responding to ARP requests for the servers in question -- this looks close enough to how Ettercap behaves that I'm now treating it as that.
The disruption is occurring because, have ARP-poisoned traffic into coming to its port, the bogie is forwarding it via a local broadcast. Except this is on a large VLAN, and that broadcast traffic is flooding the whole network.... NOW, all I have to do is catch the [EMAIL PROTECTED] machine. I had black- holed the MAC address at the switch where the traffic first appeared, but today it was back from somewhere else. David Gillett > -----Original Message----- > From: David Gillett [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 09, 2006 9:57 AM > To: [email protected] > Subject: Bizarre traffic > > Does anybody know of anything (malware, hackware, other?) > that would cause a machine to put out traffic with the first > octet of the destination address (re)set to ZERO? > > The traffic I saw all was headed for port 443, and wasn't > decipherable. The variation in packet size looked like a > real conversation, although return packets (if any) weren't > passing my sniffer. The destination addresses, sans the > bogus first octet, looked like addresses of a couple of real > internal servers (source address was internal) -- which, > however, do not have HTTPS service active. > > [This traffic correlated with various intermittent > disruptions of our network, which stopped when the source > machine dropped off the network. It later reappeared -- and > so did a brief disruption -- long enough for me to pinpoint > and ban it.] > > David Gillett > >
