AW: [suse-security] kernel: Neighbour table overflow
Hi, well, it was caused by some infected servers from a office which is connected by ipsec. Due to that I tcpdumped only ethx interfaces I just saw the ESP packets. The servers did a ping to all ip addresses of our class A network which I saw during tcpdump of ipsecx interfaces. Thx to all for your help. Olly
-----Ursprüngliche Nachricht----- Von: John Andersen [mailto:jsa@pen.homeip.net] Gesendet: Mittwoch, 27. August 2003 09:08 An: SuSE Security Discussion (suse-security@suse.com) Betreff: Re: [suse-security] kernel: Neighbour table overflow
On Tuesday 26 August 2003 02:36, Sven 'Darkman' Michels wrote:
Schoenwaelder Oliver wrote:
Hi,
I don't know how to solve the problem on my own: we have a linux firewall (SuSE 7.3, kernel 2.4.16, iptables 1.2.2-60, FreeS/WAN 1.94_0.9.2-41) which is running for more than a year now. Since August, 12th with have lots of messages like
Aug 25 10:52:25 batschkapp-ext kernel: NET: 468 messages suppressed. Aug 25 10:52:25 batschkapp-ext kernel: Neighbour table overflow.
in messages file. What is strange is that arp tables contains exactly 1023 entries, most of them incomplete with IP addresses of our local subnet which are not used and not reachable. Sometimes arp table is correct with about 70 entries, but only for a couple of seconds.
you can 'fix' it by spending more ram for the arp table:
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
Dunno if it's really related to blaster, but we had similar problems.
Your arp table is loaded by the actions of processes in your linux box, usually some interaction with the target IP, either as a samba server or by the target trying to send mail etc.
Nothing in a windows box is going change that unless ALL of them are infected and ALL of them are trying to send mail thru the gateway.
If all these addresses show up as "incomplete" you can be sure that the action that caused them to be added to the table originated in or came thru the linux box.
It looks like port scanning, or pinging every IP on the local net from the server.
Someone may have contrived to ping the broadcast address with, this will fill your arp table in a hurry, but usually only wity good (working) addresses, not incompletes
-- _____________________________________ John Andersen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
Schoenwaelder Oliver