Re: arp table overflow due to windows worm
Kurt Roeckx wrote:
On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:
My net has netmask /24 and the firewall is connected to an upstream
router which sits in 22.214.171.124/16. The other gateway sits between my
site and two /24 nets but this gateway doesn't seem to be affected.
So the gateway with the problem is the only one with a connection
to the outside world and they other is just to 2 other internal
That's right. The net looks something like this: (excuse my pittyful
ascii art skills)
| the overflowing firewall
other lans----firewall--------my lan
I could use the other lans as a gateway but I usually don't.
The only reason it should do ARP is in case it wants to resolv an
address which he thinks is directly connected. Which should mean
all your internal IP addresses (or atleast those he tried to send
something to) your gateway.
Hmm. That gives me an idea:
Destination Gateway Flags Metric Ref Use Iface
126.96.36.199/16 0.0.0.0 UG 0 0 0 eth1
With such a routing entry the firewall will try and resolve mac
addresses when the worm is scanning 134.102.xxx.0 subnets, right? I off
to the site to do some experimenting.
Thanks, a lot so far. I'll post my findings.