[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arp table overflow due to windows worm

On Sa, 16.10.2004, 07:58, Henrique de Moraes Holschuh wrote:
> On Sat, 16 Oct 2004, Ben Goedeke wrote:
>> Should it really be possible for a single infected windows machine to
>> dos
>> a linux firewall? Please tell me it's not true and there's just
>> something
>> I'm overlooking. I'm at my wits end here and don't even know what to try
>> next. So any pointers are much appreciated.
>
> Well, I have seen ARP overflows on very big flat networks (e.g.
> 172.16.0.0/16) for example.  Is any of yours that big?  Otherwise, why
> would
> the firewall be trying to resolve so many ARP addresses, instead of
> forwarding the packets to its default gateway, or rejecting the IP packets
> as unrouteable?
>

Do you have a route entry like

0.0.0.0         0.0.0.0  0.0.0.0         UG    0      0        0 eth0

instead of

0.0.0.0         1.2.3.4  0.0.0.0         UG    0      0        0 eth0

with 1.2.3.4 as the next hop to your isp?
That would generate an arp overflow very fast if you try sending
to permanently changing ip adresses outside your network as typical
worms would do!

Christian
Reply to: