Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Source MAC Address DoS
  • From: "jiade" <jiadejiade@xxxxxxxxxxx>
  • Date: Thu, 8 May 2003 16:28:15 +0800
  • Message-id: <Sea2-DAV169vXsFFsAi0000122d@xxxxxxxxxxx>
I got arp storm in my network(30 PCs and some WLAN devices),
about 10,000 arp requests per second, no responses,lasting
for severalminutes,all these arp requests have the same content
which looks very strange:

SRC DST info
0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188

it's an arp request but the DST is not a broadcast,
and the DST is a real MAC address of one of my netcards
while the SRC is a fake one.
This happens several times a day but not regularly.
Who will send millions of this kind of arp requests?

Later I captured these packets and replayed this storm at 10000packets/s,
no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse)
I filled in these packets ,they will jam up the Linux box whose MAC address
is the same as the SOURCE (not the destination) MAC address of these
packets.
When I change the packets'source MAC address with the destination MAC
address,the Linux box works well.I don't know the reason.

Need your help, thanks.








< Previous Next >
This Thread
Follow Ups