Re: [suse-security] Neighbour table overflow
Try nast, there is a module for testing MAC-Spoofing. Sounds like someone on the internal net spoofs Ethernetaddresses. MAC-Spoofing has the following disadvantage: If your network has been spoofed everyone on every segment can sniff the net (across all segments) a nice trick to gather information. If it kills functionality of your network you have to restart everything (switches, machines), because the switches and NICs store Ethernetaddresses in their cache :-( NAST you get here: http://nast.berlios.de/ You need the following: libnet libpcap pthread support libncurses Use the source and compile it on you machine. The output shows you it something is missing and where to get it. Use <Shift> + <Key> for navigating through the menu if you start with: "nast -G". Philippe ----- Original Message ----- From: "Bob Vickers" <bobv@cs.rhul.ac.uk> To: "Peter Nixon" <nix@susesecurity.com> Cc: "SuSE-Security" <suse-security@suse.com> Sent: Tuesday, March 23, 2004 11:20 AM Subject: Re: [suse-security] Neighbour table overflow
Peter,
I have encountered this problem when (for example) scanning the local network; possibly it could also indicate an intruder doing some port scanning. I did some googling which showed that the neighbour table is used by the kernel to contain ARP addresses, though I didn't manage to find out exactly what the consequences are when it fills up. Anyway you can increase its size which makes it less likely to fill up. I put the following lines in /etc/init.d/boot.local
# Double the size of the ARP cache area to avoid "Neighbour table overflow" # messages (defaults are 128, 512, 1024). echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
Bob
On Tue, 23 Mar 2004, Peter Nixon wrote:
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Philippe, I wouldn't recommend this as a first measure. Last time I used libpcap on a production machine it crashed the whole ip stack immediately ... :-( OK - you're right, this is the way to go if your are interested in what is really happening in your network, but for the "normal" admin I would say that watching the arp table (write it in a file every 15 minutes through a cron job) and tightening the firewall rules should do the trick. Regards, Philipp (sans e) Philippe Vogel schrieb:
Try nast, there is a module for testing MAC-Spoofing. Sounds like someone on the internal net spoofs Ethernetaddresses.
MAC-Spoofing has the following disadvantage:
If your network has been spoofed everyone on every segment can sniff the net (across all segments) a nice trick to gather information. If it kills functionality of your network you have to restart everything (switches, machines), because the switches and NICs store Ethernetaddresses in their cache :-(
NAST you get here:
You need the following:
libnet libpcap pthread support libncurses
Use the source and compile it on you machine. The output shows you it something is missing and where to get it. Use <Shift> + <Key> for navigating through the menu if you start with: "nast -G".
Philippe
----- Original Message ----- From: "Bob Vickers" <bobv@cs.rhul.ac.uk> To: "Peter Nixon" <nix@susesecurity.com> Cc: "SuSE-Security" <suse-security@suse.com> Sent: Tuesday, March 23, 2004 11:20 AM Subject: Re: [suse-security] Neighbour table overflow
Peter,
I have encountered this problem when (for example) scanning the local network; possibly it could also indicate an intruder doing some port scanning. I did some googling which showed that the neighbour table is
used
by the kernel to contain ARP addresses, though I didn't manage to find out exactly what the consequences are when it fills up. Anyway you can increase its size which makes it less likely to fill up. I put the following lines in /etc/init.d/boot.local
# Double the size of the ARP cache area to avoid "Neighbour table
overflow"
# messages (defaults are 128, 512, 1024). echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
Bob
On Tue, 23 Mar 2004, Peter Nixon wrote:
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain
broke!
Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Philipp Rusch -
Philippe Vogel