Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Source MAC Address DoS
  • From: "jiade" <jiadejiade@xxxxxxxxxxx>
  • Date: Fri, 9 May 2003 08:50:41 +0800
  • Message-id: <Sea2-DAV54IkUqLpHka00001be9@xxxxxxxxxxx>
> > I got arp storm in my network(30 PCs and some WLAN devices),
> > about 10,000 arp requests per second, no responses,lasting
> > for severalminutes,all these arp requests have the same content
> > which looks very strange:
> >
> > SRC DST info
> > 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell
> 192.168.1.188
>
> Is 00:60:e0:01:7d:96 or is 00:60:f0:01:7d:96 192.168.1.188 (LAN-IP)?
> Have both the same IP?

00:60:e0:01:7d:96 is 192.168.1.188
There is no NIC whose MAC address is 00:60:f0:01:7d:96

> Looks like duplicated IP(00:60:e0:01:7d:96 looks at 00:60:f0:01:7d:96 if
it
> has 192.168.1.188 as seen in the packet capture).
> Is there a DHCP in your LAN and is it on one of both above mentioned
NIC's?
> Normal ARP requests go from DHCP to client xy.
> Have a realtime snapshot with iptraf or etherreal.

A DHCP is at 192.168.1.1, whose MAC address is 00:50:04:bd:0d:70,
192.168.1.188 is not a DHCP client, it's a static IP.

> > it's an arp request but the DST is not a broadcast,
> > and the DST is a real MAC address of one of my netcards
> > while the SRC is a fake one.
> > This happens several times a day but not regularly.
> > Who will send millions of this kind of arp requests?
> >
> > Later I captured these packets and replayed this storm at
10000packets/s,
> > no matter what kind of upper level protocol stuff (ARP,UDP or
> somethingelse)
> > I filled in these packets ,they will jam up the Linux box whose MAC
> address
> > is the same as the SOURCE (not the destination) MAC address of these
> > packets.
> > When I change the packets'source MAC address with the destination MAC
> > address,the Linux box works well.I don't know the reason.
>
> Is this 00:60:e0:01:7d:96 ?

Yes.

Jiade

< Previous Next >
This Thread
References