Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] DOS problem with SuSE 8.1 kernel 2.4.19- (neighbour table overflow)
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Tue, 16 Sep 2003 11:05:08 +0200
  • Message-id: <3F66D244.3050204@xxxxxxxxxx>
Philipp Rusch wrote:

Today we have the situation as follows:
One of the other participants in the intranet got the blaster worm in their net,
they are still struggling with this. So we get bombed with tons of connections
on port 135 from their destination, when the worm(s) scan our net.
This fills our arp table / ip connection table with some 17.000-20.000(!)
connections in "half open" state, the kernel then throws thousnads of messages
like "Neighbour table overflow" and "neighbour table flood" at high rates.
When memory is filled, the network services on this box simply stop working.
I would call this a classical DOS attack, but what can I do against it ?
I already drop all relevant packets from that source, I would have thought
that the iptables / kernel code could manage this traffic (sitting behind a 2 MBit
link with a PIII-500 / 256 MB RAM)

Here is what I do against the most common "attacks"
[snipped firewalling]

iptables won't help in this case cause your problem is not the 20000
half open connections, it's the 20000 (spoofed) ARP's. Did you try to
extend your arp table like i suggested you last time? The only thing
which will work is the kernel tuning imho. Another Problem is that you
only have 256MB ram. If you said you've 20.000 Arp requests, i would say
you've a big network behind it. So if you use connection tracking, you
use a lot of memory just for that. So try to resize your arp table to
the suggested values and take a look if it helps. Watch the arp table
and the count with a script like:
while true; do
DSTRING=$(date +%s)
arp -an > arp-${DSTRING}.log
sleep 1

so you can check after a half hour or so how many arp entries you really
had and set the table values to a better size.


< Previous Next >