Re: arp table overflow due to windows worm

To: debian-security@lists.debian.org
Subject: Re: arp table overflow due to windows worm
From: Jason Lunz <lunz@falooley.org>
Date: Sun, 17 Oct 2004 17:49:45 +0000 (UTC)
Message-id: <[🔎] ckubbo$k6c$1@sea.gmane.org>
References: <[🔎] 41705DE8.1010400@gmx.net>

goedeke-deb-sec@gmx.net said:
> 135 is closed in both directions. However, I get the message "Neighbour
> table overflow" on the firewall (debian stable w/ kernel 2.4.27) and the
> entire network comes to a standstill. The cpu load isn't even close to a
...
> Should it really be possible for a single infected windows machine to dos
> a linux firewall? Please tell me it's not true and there's just something
> I'm overlooking. I'm at my wits end here and don't even know what to try
> next. So any pointers are much appreciated.

The entire neighbor cache was completely rewritten recently, and I
believe it was prompted by exactly this sort of situation.  That work
will be released as part of linux 2.6.9, iirc. There's also a backport
pending for 2.4, though probably not 2.4.28. Check out this thread:

http://thread.gmane.org/gmane.linux.network/16302

Jason

Reply to:

Follow-Ups:
- Re: arp table overflow due to windows worm
  - From: Rick Moen <rick@linuxmafia.com>

References:
- arp table overflow due to windows worm
  - From: Ben Goedeke <goedeke-deb-sec@gmx.net>

Prev by Date: Re: arp table overflow due to windows worm
Next by Date: Re: arp table overflow due to windows worm
Previous by thread: Re: arp table overflow due to windows worm
Next by thread: Re: arp table overflow due to windows worm
Index(es):
- Date
- Thread