ff:ff:ff:ff...mac address is consuming my network bandwidth

nazib · 07-26-2005, 10:56 PM

Hi all,

I am having problem in my linux server.
I am using redhat 9.0 with default iptables rpm.
I have Nat of this server. I run iptraf and found the following broadcast mac address ff:ff:ff:ff:ff:ff This mac address is creating problem in my network. A buch of bandwidth is consuming by that mac.

can any one tell me for stop this mac address or solve the Broadcast problem.

Regards,
Nazib

gd2shoe · 07-27-2005, 01:26 AM

If your network can handle such a brute force solution, you could just start disconnecting network plugs until it stops. In most situations, you should be able to find the offending machine.

Half_Elf · 07-27-2005, 09:56 AM

ff:ff:ff:ff is just an impossible MAC address. It is the "everyone" mac address. Back in college I wrote something in my computer science course about the possibility of crashing a network in a DDOS way spoofing the Mac address to this value. "ff:ff:ff:ff" refer to everyone, and, as "everyone" would try to answer to "everyone", you quickly end in a nightmare situation, at least in theory, it is quite hard to forge packet this way and this kind of trick is patched since age.

Still, look like you are under attack from a ghost... If you suspect this to come from the internet you might want to notice your ISP, they may have some "trace" or hints about who is doing this (ultimately banning him). But for now, there isn't much to do, even if you block this address, the packet will reach your network (as the iptables rules are checked once the network card got the trafic, of course), crafting a rules to (try to) ban this would most likely result in a cpu consumtion without any result of the flood... if you want to try anyways, I suppose we could help you, but we will need your kernel version and your iptables version (iptables prior to 1.2.7 on kernel 2.4 was a bit basic about making rules on mac address if I remember right).