Try nast, there is a module for testing MAC-Spoofing. Sounds like someone on the internal net spoofs Ethernetaddresses. MAC-Spoofing has the following disadvantage: If your network has been spoofed everyone on every segment can sniff the net (across all segments) a nice trick to gather information. If it kills functionality of your network you have to restart everything (switches, machines), because the switches and NICs store Ethernetaddresses in their cache :-( NAST you get here: http://nast.berlios.de/ You need the following: libnet libpcap pthread support libncurses Use the source and compile it on you machine. The output shows you it something is missing and where to get it. Use <Shift> + <Key> for navigating through the menu if you start with: "nast -G". Philippe ----- Original Message ----- From: "Bob Vickers" <bobv@cs.rhul.ac.uk> To: "Peter Nixon" <nix@susesecurity.com> Cc: "SuSE-Security" <suse-security@suse.com> Sent: Tuesday, March 23, 2004 11:20 AM Subject: Re: [suse-security] Neighbour table overflow
Peter,
I have encountered this problem when (for example) scanning the local network; possibly it could also indicate an intruder doing some port scanning. I did some googling which showed that the neighbour table is used by the kernel to contain ARP addresses, though I didn't manage to find out exactly what the consequences are when it fills up. Anyway you can increase its size which makes it less likely to fill up. I put the following lines in /etc/init.d/boot.local
# Double the size of the ARP cache area to avoid "Neighbour table overflow" # messages (defaults are 128, 512, 1024). echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
Bob
On Tue, 23 Mar 2004, Peter Nixon wrote:
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here