Re: arp table overflow due to windows worm

[Ben Goedeke <goedeke-deb-sec@gmx.net>]

Kurt Roeckx wrote:
> On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:

> > My net has netmask /24 and the firewall is connected to an upstream
> > router which sits in 134.102.0.0/16. The other gateway sits between my
> > site and two /24 nets but this gateway doesn't seem to be affected.
>
>
> So the gateway with the problem is the only one with a connection
> to the outside world and they other is just to 2 other internal
> nets?

That's right. The net looks something like this: (excuse my pittyful
ascii art skills)

   Internet                  Internet
     |                          |
     |                 the overflowing firewall
     |                          |
     |                       (bridge)
     |                          |
     |                          |
other lans----firewall--------my lan

I could use the other lans as a gateway but I usually don't.

> The only reason it should do ARP is in case it wants to resolv an
> address which he thinks is directly connected.  Which should mean
> all your internal IP addresses (or atleast those he tried to send
> something to) your gateway.

Hmm. That gives me an idea:

Destination	Gateway	Flags	Metric	Ref	Use	Iface
134.102.0.0/16  0.0.0.0 UG	0	0	0	eth1

With such a routing entry the firewall will try and resolve mac
addresses when the worm is scanning 134.102.xxx.0 subnets, right? I off
to the site to do some experimenting.

Thanks, a lot so far. I'll post my findings.

ben