[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arp table overflow due to windows worm

Henrique de Moraes Holschuh wrote:


Well, I have seen ARP overflows on very big flat networks (e.g.
172.16.0.0/16) for example.  Is any of yours that big?  Otherwise, why would
the firewall be trying to resolve so many ARP addresses, instead of
forwarding the packets to its default gateway, or rejecting the IP packets
as unrouteable?


My net has netmask /24 and the firewall is connected to an upstream
router which sits in 134.102.0.0/16. The other gateway sits between my
site and two /24 nets but this gateway doesn't seem to be affected. I
noticed that the arp cache contains the very IP addresses the windows
machines are trying to connect to. (And they all resolve to the same
ethernet address, namely the one of the upstream router.) So it seems
arp resolution occurs even though the packets are being dropped. That's
why I thought the bridge before the firewall could be a good idea. But
I guess the net gets clogged even before it reaches the bridge.
Anyway, see http://www.atm.tut.fi/list-archive/linux-diffserv/msg00962.html 

I will try and increase the cache size and do some more experiments on
the weekend but maybe the only solution is to update all the windows
machines to SP2 (I hear the windows guys already got started with that.)

cheers,
ben
Reply to: