Hi everybody

This is a bit offtopic since the problem I have is more of a windows issue but it affects my linux firewall so here it goes:

Starting last Thursday I noticed random network outages on a lan with 5 linux servers and around 100 windows workstations. On the firewall (debian stable) I noticed the logs being flooded with messages "Neighbour table overflow" meaning the arp cache is full. This had a dos effect and it was impossible for any computer to access the internet unless I flushed the cache (after which it took some thirty seconds and it all started to crumble again.)

I tracked the problem down to three windows boxes that were infected with various sorts of worms and spyware. I don't know much about windows and neither seem the people who did the damage assessment on the windows machines so I'm not gonna speculate what type of malware exactly they were infected with. But here's my question: What can I do on the linux server side to prevent this from happening? As a first response I tightened the firewall rules to not allow outgoing connections by default (which it did until now) and installed a transparent squid proxy. Incoming connections were, of course, never allowed by default but I do have a rule that allows ESTABLISHED,RELATED incoming connections. Could this be a problem?

I was thinking of maybe disallowing internet access with the internet explorer but I'm not sure if this will help. Also until now we've be pretty liberal in what type of software people were allowed to use from inside our network. For instance some people brought in their notebooks and happily chatted away on icq, aim, msn messenger and whatnot. Are these type of programs a source of infection as well?

Thanks for any input.

demian

i can't help you much, but id like to comment on disabling internet explorer. DO IT

i found that after only using Firefox here at home, ive had hardly no problems..
maybe installing spybot search & destroy on the windows machines, and not allowing IE, woudl probably fix it...i know its solved my problems at home with my little network.

i just basicly installed Firefox. made a shortcut and made the icon IE, so ppl still think there using microsoft. hehe

You'll probably find this site particularly useful, as it describes ARP troubleshooting and manipulation. It's interesting that the ARP cache is actually being flooded, because that would indicate that the malware on the host is either causing it to change it's MAC address repeatedly, or (probably more likely) it's spoofing it's IP address very rapidly.

One thing you could do is monitor your ARP cache and see if the same MAC address shows up for multiple IP addresses (obviously this cannot include MAC addresses of routers, or other devices that have legitimate reasons to proxy ARP). Your monitor script could send an e-mail or another type of alert to an administrator so the machine in question can be isolated and removed from the network.

It's also probably a good idea to come up with a plan to record the MAC address of every host on your network and where that host is located, that way you'll know where to find an offending machine if it starts acting up.

That is useful indeed. Thanks. I was somewhat surprised about the arp cache being affected as well. First thing I suspected was some kind of arp spoofing attack from the outside but then I unplugged the uplink network cable and the problem persisted. I also suspect IP spoofing going on here although I fail to see what for. I saved one infected machine from the windows people who just reinstalled from scratch without even analysing what really caused the problem So I'm gonna try and set up an isolated test network on the weekend and see if I can find out more.

Setting up a script to monitor for mac address changes sounds like a plan but I guess I will have to have it ignore any IP that reports more than one mac address and is not a router immediately cause the dos effect kicks in about thirty seconds after the infected box is connected to the network.