Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Source MAC Address DoS
  • From: GertJan Spoelman <nobody@xxxxxxxxxxxxxxxxx>
  • Date: Thu, 8 May 2003 20:59:18 +0200
  • Message-id: <200305082059.18095@xxxxxx>
On Thursday 08 May 2003 10:28, jiade wrote:
> I got arp storm in my network(30 PCs and some WLAN devices),
> about 10,000 arp requests per second, no responses,lasting
> for severalminutes,all these arp requests have the same content
> which looks very strange:
>
> SRC DST info
> 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell
> 192.168.1.188
>
> it's an arp request but the DST is not a broadcast,
> and the DST is a real MAC address of one of my netcards
> while the SRC is a fake one.
> This happens several times a day but not regularly.
> Who will send millions of this kind of arp requests?
>
> Later I captured these packets and replayed this storm at 10000packets/s,
> no matter what kind of upper level protocol stuff (ARP,UDP or
> somethingelse) I filled in these packets ,they will jam up the Linux box
> whose MAC address is the same as the SOURCE (not the destination) MAC
> address of these packets.

First you say the SRC is fake and now you say it locks up the SRC or did you
also replace the SRC address?

> When I change the packets'source MAC address with the destination MAC
> address,the Linux box works well.I don't know the reason.
>
> Need your help, thanks.

Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could well
be that it comes from the same NIC maybe it has some weird hardware defect,
first thing I would do is replace that NIC.
--

GertJan

Email address is invalid, so don't reply directly, I'm on the list.


< Previous Next >
This Thread
Follow Ups
References