[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

arp table overflow due to windows worm

Hi list

 This might be a bit offtopic since there's nothing debian specific about
the problem I'm having. If you feel this has no place on this list please
point me to a more appropriate list for this question.

 Starting last week I noticed random network outages on the lan I'm
administering. There are 5 debian servers for some 100 windows
workstations. The network topology is pretty straight-forward with two
gateways to the internet and an affiliated site respectively. Now what
happens is this:
 There's a worm or virus on some of the windows machines that uses tcp
port 135 to distribute itself. Infected machines systematically scan
neighbouring networks at a rate of a few hundred connection attempts/s for
machines listening on port 135. Oddly enough the local scanners (Norton
Antivirus) don't find anything. But this mail is not about what to do with
the windows machines but rather what to do on the firewall. Obviously port
135 is closed in both directions. However, I get the message "Neighbour
table overflow" on the firewall (debian stable w/ kernel 2.4.27) and the
entire network comes to a standstill. The cpu load isn't even close to a
worrying level so I guess there are plenty of resources left and still I
can't make any network connection through the firewall when there's an
infected machine plugged in to the network. The arp cache overflow happens
even though I just drop packets in the iptables FORWARD chain.
So I set up a transparent bridge between the firewall and the lan and
tried filtering ethernet frames using ebtables from the infected machines.
This did work and the arp cache overflow on the firewall no longer
happened but still the network was pretty much useless and connections to
any server outside of the lan are extremely slow and unreliable.

Should it really be possible for a single infected windows machine to dos
a linux firewall? Please tell me it's not true and there's just something
I'm overlooking. I'm at my wits end here and don't even know what to try
next. So any pointers are much appreciated.


Reply to: