[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arp table overflow due to windows worm

Kurt Roeckx wrote:
On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:

My net has netmask /24 and the firewall is connected to an upstream
router which sits in The other gateway sits between my
site and two /24 nets but this gateway doesn't seem to be affected.

So the gateway with the problem is the only one with a connection
to the outside world and they other is just to 2 other internal

That's right. The net looks something like this: (excuse my pittyful
ascii art skills)

   Internet                  Internet
     |                          |
     |                 the overflowing firewall
     |                          |
     |                       (bridge)
     |                          |
     |                          |
other lans----firewall--------my lan

I could use the other lans as a gateway but I usually don't.

The only reason it should do ARP is in case it wants to resolv an
address which he thinks is directly connected.  Which should mean
all your internal IP addresses (or atleast those he tried to send
something to) your gateway.

Hmm. That gives me an idea:

Destination	Gateway	Flags	Metric	Ref	Use	Iface UG	0	0	0	eth1

With such a routing entry the firewall will try and resolve mac
addresses when the worm is scanning 134.102.xxx.0 subnets, right? I off
to the site to do some experimenting.

Thanks, a lot so far. I'll post my findings.


Reply to: