[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arp table overflow due to windows worm

On Sat, 16 Oct 2004, Benjamin Goedeke wrote:
> My net has netmask /24 and the firewall is connected to an upstream
> router which sits in The other gateway sits between my

This is the problem. And what a dangerous netmask to have a router sit on,
btw... here we use small networks (/24 to /30, tipically /28, /29 or /30) to
place router interfaces on for a good reason :)

You need to increase the arp cache size to 65536 entries if you really want
to avoid the DoS at all costs.  All other gateway machines sitting on the
/16 also need the same kind of setup, btw.

Try fiddling with /proc/sys/net/ipv4/neigh/default/gc_thresh3 (set it to
65536 for example).  If that doesn't it, go after the user-mode ARP daemon,
and enable that.

> site and two /24 nets but this gateway doesn't seem to be affected. I

/24s are 256-hosts-wide, and won't overflow a 1024-entry cache ever, if you
have only two or three.

> machines are trying to connect to. (And they all resolve to the same
> ethernet address, namely the one of the upstream router.) So it seems

And the upstream router is probably having problems of the same sort, too.
If it is, it will impair on your conectivity eventually.

> I will try and increase the cache size and do some more experiments on
> the weekend but maybe the only solution is to update all the windows
> machines to SP2 (I hear the windows guys already got started with that.)

That will not fix your problem for long.  And anyone running a ping scan or
anything else of the sort will DoS your network.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: