Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Source MAC Address DoS
  • From: "jiade" <jiadejiade@xxxxxxxxxxx>
  • Date: Fri, 9 May 2003 09:23:51 +0800
  • Message-id: <Sea2-DAV209tTx7e4Vk00001c3a@xxxxxxxxxxx>

----- Original Message -----
From: "GertJan Spoelman" <nobody@xxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Friday, May 09, 2003 2:59 AM
Subject: Re: [suse-security] Source MAC Address DoS


> On Thursday 08 May 2003 10:28, jiade wrote:
> > I got arp storm in my network(30 PCs and some WLAN devices),
> > about 10,000 arp requests per second, no responses,lasting
> > for severalminutes,all these arp requests have the same content
> > which looks very strange:
> >
> > SRC DST info
> > 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell
> > 192.168.1.188
> >
> > it's an arp request but the DST is not a broadcast,
> > and the DST is a real MAC address of one of my netcards
> > while the SRC is a fake one.
> > This happens several times a day but not regularly.
> > Who will send millions of this kind of arp requests?
> >
> > Later I captured these packets and replayed this storm at
10000packets/s,
> > no matter what kind of upper level protocol stuff (ARP,UDP or
> > somethingelse) I filled in these packets ,they will jam up the Linux box
> > whose MAC address is the same as the SOURCE (not the destination) MAC
> > address of these packets.
>
> First you say the SRC is fake and now you say it locks up the SRC or did
you
> also replace the SRC address?

Sorry, I've made a mistake, the SRC is real but the DST is fake.

> > When I change the packets'source MAC address with the destination MAC
> > address,the Linux box works well.I don't know the reason.
> >
> > Need your help, thanks.
>
> Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could
well
> be that it comes from the same NIC maybe it has some weird hardware
defect,
> first thing I would do is replace that NIC.
> --

I did replace the NIC, but it was the same, the storm packets' SRC and DST
MAC
addresses still differ 1 bit or 2.

>
> GertJan
>
> Email address is invalid, so don't reply directly, I'm on the list.
>


Jiade

< Previous Next >
This Thread
Follow Ups
References