LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   how to stop arp Denial of service/flood? (https://www.linuxquestions.org/questions/linux-networking-3/how-to-stop-arp-denial-of-service-flood-362331/)

4mix 09-11-2005 08:53 AM
how to stop arp Denial of service/flood?
 
I have a Debian stable, with a 2.6.10 kernel in a network of 600 computers.

There are some people with viruses that generate a lot of arp requests. In iptraf I can see 20-50kbytes/s broadcast traffic.

In tcpdump I can see that the same mac requests lots of IPs:

15:21:50.287420 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.110.26 tell 10.1.4.58
15:21:50.287448 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.22.28 tell 10.1.4.58
15:21:50.287472 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.235.79 tell 10.1.4.58
15:21:50.290032 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.42.19 tell 10.1.4.58
15:21:50.290258 00:01:02:dd:2e:b7 > Broadcast, ethertype IPv4 (0x0800), length 243: IP 10.1.4.51.netbios-dgm > 10.1.255.255.netbios-dgm: NBT UDP PACKET(138)
15:21:50.290333 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.157 tell 10.1.4.99
15:21:50.291312 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.179 tell 10.1.4.99
15:21:50.291352 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.89.164 tell 10.1.4.99
15:21:50.291376 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.247.246 tell 10.1.4.58
15:21:50.302296 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.179.78 tell 10.1.4.58
15:21:50.307294 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.37.28 tell 10.1.4.99
15:21:50.308974 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.131 tell 10.1.4.58
15:21:50.310219 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.80.199 tell 10.1.4.99
15:21:50.312246 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.14 tell 10.1.4.99
15:21:50.314308 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.102.62 tell 10.1.4.58
15:21:50.316063 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.117.3 tell 10.1.4.58
15:21:50.317737 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.196.166 tell 10.1.4.58
15:21:50.320423 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.167.166 tell 10.1.4.58
15:21:50.320462 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.7 tell 10.1.4.58

The server ping response is horrible - the majority of time - request timed out, in putty I write and I wait 10 seconds to see something.

I need to provide internet to 50 people. I put in /etc/ethers the macs and Ips of them and I loaded them in the arp cache to be permanent.

What to do to stop this?

I tried ifconfig eth0 -arp (eth0 - my lan card - it didn't work)
I tried to increase the /proc/sys/ipv4/neigh/default/gc_threshold3 to 65535 - it didn't work
I tried to use arptables and didn't succeded.

In my firewall the only INPUT ports opened are 22,80,411,412,1723

Thank you in advance!

Snowbat 09-11-2005 03:15 PM
You can't stop them sending traffic - all you can do is filter it.

How about sending an email to all users saying network performance is degraded due to a number of viruses on workstations and that from tomorrow you will cutting off internet access to the IP addresses generating suspicious traffic? When you start cutting off access and the complaints start arriving, you can reenable on a per-IP basis on condition that they immediately install and run antivirus/antispyware.

4mix 09-13-2005 08:58 AM
Yes the question is how to filter it, or how to do something so my server will ignore it, mantaining functionality.

Your approach is ok - thank you, but I am in a network of networks and there are other providers who need to do the same thing, and it seems they do this but slowly. Another thing is there are people in the network who don't have internet access, but they are making flood, and we can't force them easyly to stop it.

This is why I need a way to protect my server in this jungle.

Thank you in advance!

R4z0r 09-13-2005 03:26 PM
The provider will need to filter it on the switch. ARP's are broadcast which means everyone in the same netwrok segment will receive them.

spidermanx 06-13-2013 03:14 AM
And what if the isp dont care
 
Hi

Sorry to bump up such an old topic but this is the proper place to post this. I have the same thing going on with my fiber isp. Requests keep flooding my lan from the fiber end because of their mis-configured network:

10:07:00.697314 ARP, Request who-has 10.65.192.1 tell 10.65.210.249, length 46
10:07:00.738245 ARP, Request who-has 10.65.192.1 tell 10.65.212.136, length 46
10:07:00.847793 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:00.919911 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:00.946800 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:00.992946 ARP, Request who-has 172.30.10.30 tell 10.65.212.29, length 46
10:07:01.001945 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:01.031322 ARP, Request who-has 10.65.248.173 tell 10.65.192.1, length 46
10:07:01.123676 ARP, Request who-has 10.65.192.1 tell 10.65.220.8, length 46
10:07:01.194263 ARP, Request who-has 10.65.234.153 tell 10.65.192.1, length 46
10:07:01.342237 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:01.371685 ARP, Request who-has 172.30.10.20 tell 10.65.198.255, length 46
10:07:01.671385 ARP, Request who-has 10.65.192.173 tell 10.65.192.1, length 46
10:07:01.829045 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:01.849716 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:01.940719 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:02.001800 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:02.008443 ARP, Request who-has 10.65.192.1 tell 10.65.212.125, length 46
10:07:02.205704 ARP, Request who-has 10.65.242.201 tell 10.65.242.201, length 46
10:07:02.286321 ARP, Request who-has 10.65.223.234 (d0:15:4a:09:09:18) tell 10.65.192.1, length 46
10:07:02.321873 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:02.828438 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:02.828901 ARP, Request who-has 10.65.192.1 tell 10.65.219.219, length 46
10:07:02.849985 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:02.940290 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46

This generates a constant 21K/sec packet stream on my network and it pushed out on the wireless interface too. I tried everything to disable it for interfaces:

echo 8 > /proc/sys/net/ipv4/conf/ppp258/arp_ignore
echo 8 > /proc/sys/net/ipv4/conf/eth0/arp_ignore


ifconfig eth0 -arp
ifconfig ppp258 -arp

but it still flowing in to my network. What is the right way to disable these?
I cannot use arptables because the router only have a micro linux distribution on it which doesn't have it.

Thank you!


All times are GMT -5. The time now is 06:30 AM.