I got arp storm in my network(30 PCs and some WLAN devices), about 10,000 arp requests per second, no responses,lasting for severalminutes,all these arp requests have the same content which looks very strange: SRC DST info 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188 it's an arp request but the DST is not a broadcast, and the DST is a real MAC address of one of my netcards while the SRC is a fake one. This happens several times a day but not regularly. Who will send millions of this kind of arp requests? Later I captured these packets and replayed this storm at 10000packets/s, no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse) I filled in these packets ,they will jam up the Linux box whose MAC address is the same as the SOURCE (not the destination) MAC address of these packets. When I change the packets'source MAC address with the destination MAC address,the Linux box works well.I don't know the reason. Need your help, thanks.
On Thursday 08 May 2003 10:28, jiade wrote:
I got arp storm in my network(30 PCs and some WLAN devices), about 10,000 arp requests per second, no responses,lasting for severalminutes,all these arp requests have the same content which looks very strange:
SRC DST info 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188
it's an arp request but the DST is not a broadcast, and the DST is a real MAC address of one of my netcards while the SRC is a fake one. This happens several times a day but not regularly. Who will send millions of this kind of arp requests?
Later I captured these packets and replayed this storm at 10000packets/s, no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse) I filled in these packets ,they will jam up the Linux box whose MAC address is the same as the SOURCE (not the destination) MAC address of these packets.
First you say the SRC is fake and now you say it locks up the SRC or did you also replace the SRC address?
When I change the packets'source MAC address with the destination MAC address,the Linux box works well.I don't know the reason.
Need your help, thanks.
Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could well be that it comes from the same NIC maybe it has some weird hardware defect, first thing I would do is replace that NIC. -- GertJan Email address is invalid, so don't reply directly, I'm on the list.
----- Original Message -----
From: "GertJan Spoelman"
On Thursday 08 May 2003 10:28, jiade wrote:
I got arp storm in my network(30 PCs and some WLAN devices), about 10,000 arp requests per second, no responses,lasting for severalminutes,all these arp requests have the same content which looks very strange:
SRC DST info 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188
it's an arp request but the DST is not a broadcast, and the DST is a real MAC address of one of my netcards while the SRC is a fake one. This happens several times a day but not regularly. Who will send millions of this kind of arp requests?
Later I captured these packets and replayed this storm at 10000packets/s, no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse) I filled in these packets ,they will jam up the Linux box whose MAC address is the same as the SOURCE (not the destination) MAC address of these packets.
First you say the SRC is fake and now you say it locks up the SRC or did you also replace the SRC address?
Sorry, I've made a mistake, the SRC is real but the DST is fake.
When I change the packets'source MAC address with the destination MAC address,the Linux box works well.I don't know the reason.
Need your help, thanks.
Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could well be that it comes from the same NIC maybe it has some weird hardware defect, first thing I would do is replace that NIC. --
I did replace the NIC, but it was the same, the storm packets' SRC and DST MAC addresses still differ 1 bit or 2.
GertJan
Email address is invalid, so don't reply directly, I'm on the list.
Jiade
On Friday 09 May 2003 03:23, jiade wrote:
I did replace the NIC, but it was the same, the storm packets' SRC and DST MAC addresses still differ 1 bit or 2.
So the problem is probably with the software on that PC, if you disconnect it is the problem gone then? Does it have multiple NIC's and do you use it as a router? Is there any tunneling software running and if so, what happens if you shut that down. -- GertJan Email address is invalid, so don't reply directly, I'm on the list.
----- Original Message -----
From: "GertJan Spoelman"
On Friday 09 May 2003 03:23, jiade wrote:
I did replace the NIC, but it was the same, the storm packets' SRC and
DST
MAC addresses still differ 1 bit or 2.
So the problem is probably with the software on that PC, if you disconnect it is the problem gone then? Does it have multiple NIC's and do you use it as a router? Is there any tunneling software running and if so, what happens if you shut that down. --
Yes, you are quite right, I do use it as a router with 2 NICs, and there is another Linux box running tunnneling software, which has the same problem, but not occurs at the same time. If I shut either of them down, the storm will disappear in several seconds. What shall I do to solve this problem with the router and the tunneling software running? Jiade
participants (2)
-
GertJan Spoelman
-
jiade