LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-11-2005, 08:53 AM   #1
4mix
LQ Newbie
 
Registered: Jul 2004
Distribution: Debian 2.4.18
Posts: 19

Rep: Reputation: 0
Unhappy how to stop arp Denial of service/flood?


I have a Debian stable, with a 2.6.10 kernel in a network of 600 computers.

There are some people with viruses that generate a lot of arp requests. In iptraf I can see 20-50kbytes/s broadcast traffic.

In tcpdump I can see that the same mac requests lots of IPs:

15:21:50.287420 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.110.26 tell 10.1.4.58
15:21:50.287448 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.22.28 tell 10.1.4.58
15:21:50.287472 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.235.79 tell 10.1.4.58
15:21:50.290032 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.42.19 tell 10.1.4.58
15:21:50.290258 00:01:02:dd:2e:b7 > Broadcast, ethertype IPv4 (0x0800), length 243: IP 10.1.4.51.netbios-dgm > 10.1.255.255.netbios-dgm: NBT UDP PACKET(138)
15:21:50.290333 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.157 tell 10.1.4.99
15:21:50.291312 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.179 tell 10.1.4.99
15:21:50.291352 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.89.164 tell 10.1.4.99
15:21:50.291376 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.247.246 tell 10.1.4.58
15:21:50.302296 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.179.78 tell 10.1.4.58
15:21:50.307294 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.37.28 tell 10.1.4.99
15:21:50.308974 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.131 tell 10.1.4.58
15:21:50.310219 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.80.199 tell 10.1.4.99
15:21:50.312246 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.14 tell 10.1.4.99
15:21:50.314308 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.102.62 tell 10.1.4.58
15:21:50.316063 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.117.3 tell 10.1.4.58
15:21:50.317737 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.196.166 tell 10.1.4.58
15:21:50.320423 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.167.166 tell 10.1.4.58
15:21:50.320462 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.7 tell 10.1.4.58

The server ping response is horrible - the majority of time - request timed out, in putty I write and I wait 10 seconds to see something.

I need to provide internet to 50 people. I put in /etc/ethers the macs and Ips of them and I loaded them in the arp cache to be permanent.

What to do to stop this?

I tried ifconfig eth0 -arp (eth0 - my lan card - it didn't work)
I tried to increase the /proc/sys/ipv4/neigh/default/gc_threshold3 to 65535 - it didn't work
I tried to use arptables and didn't succeded.

In my firewall the only INPUT ports opened are 22,80,411,412,1723

Thank you in advance!
 
Old 09-11-2005, 03:15 PM   #2
Snowbat
Member
 
Registered: Jun 2005
Location: q3dm7
Distribution: Mandriva 2010.0 x86_64
Posts: 338

Rep: Reputation: 31
You can't stop them sending traffic - all you can do is filter it.

How about sending an email to all users saying network performance is degraded due to a number of viruses on workstations and that from tomorrow you will cutting off internet access to the IP addresses generating suspicious traffic? When you start cutting off access and the complaints start arriving, you can reenable on a per-IP basis on condition that they immediately install and run antivirus/antispyware.
 
Old 09-13-2005, 08:58 AM   #3
4mix
LQ Newbie
 
Registered: Jul 2004
Distribution: Debian 2.4.18
Posts: 19

Original Poster
Rep: Reputation: 0
Yes the question is how to filter it, or how to do something so my server will ignore it, mantaining functionality.

Your approach is ok - thank you, but I am in a network of networks and there are other providers who need to do the same thing, and it seems they do this but slowly. Another thing is there are people in the network who don't have internet access, but they are making flood, and we can't force them easyly to stop it.

This is why I need a way to protect my server in this jungle.

Thank you in advance!
 
Old 09-13-2005, 03:26 PM   #4
R4z0r
Member
 
Registered: Jan 2002
Distribution: CentOS 3.1
Posts: 119

Rep: Reputation: 15
The provider will need to filter it on the switch. ARP's are broadcast which means everyone in the same netwrok segment will receive them.
 
Old 06-13-2013, 03:14 AM   #5
spidermanx
LQ Newbie
 
Registered: Jun 2013
Posts: 1

Rep: Reputation: Disabled
Wink And what if the isp dont care

Hi

Sorry to bump up such an old topic but this is the proper place to post this. I have the same thing going on with my fiber isp. Requests keep flooding my lan from the fiber end because of their mis-configured network:

10:07:00.697314 ARP, Request who-has 10.65.192.1 tell 10.65.210.249, length 46
10:07:00.738245 ARP, Request who-has 10.65.192.1 tell 10.65.212.136, length 46
10:07:00.847793 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:00.919911 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:00.946800 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:00.992946 ARP, Request who-has 172.30.10.30 tell 10.65.212.29, length 46
10:07:01.001945 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:01.031322 ARP, Request who-has 10.65.248.173 tell 10.65.192.1, length 46
10:07:01.123676 ARP, Request who-has 10.65.192.1 tell 10.65.220.8, length 46
10:07:01.194263 ARP, Request who-has 10.65.234.153 tell 10.65.192.1, length 46
10:07:01.342237 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:01.371685 ARP, Request who-has 172.30.10.20 tell 10.65.198.255, length 46
10:07:01.671385 ARP, Request who-has 10.65.192.173 tell 10.65.192.1, length 46
10:07:01.829045 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:01.849716 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:01.940719 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:02.001800 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:02.008443 ARP, Request who-has 10.65.192.1 tell 10.65.212.125, length 46
10:07:02.205704 ARP, Request who-has 10.65.242.201 tell 10.65.242.201, length 46
10:07:02.286321 ARP, Request who-has 10.65.223.234 (d0:15:4a:09:09:18) tell 10.65.192.1, length 46
10:07:02.321873 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:02.828438 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:02.828901 ARP, Request who-has 10.65.192.1 tell 10.65.219.219, length 46
10:07:02.849985 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:02.940290 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46

This generates a constant 21K/sec packet stream on my network and it pushed out on the wireless interface too. I tried everything to disable it for interfaces:

echo 8 > /proc/sys/net/ipv4/conf/ppp258/arp_ignore
echo 8 > /proc/sys/net/ipv4/conf/eth0/arp_ignore


ifconfig eth0 -arp
ifconfig ppp258 -arp

but it still flowing in to my network. What is the right way to disable these?
I cannot use arptables because the router only have a micro linux distribution on it which doesn't have it.

Thank you!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How To Stop a UDP Packet Flood ! murder Linux - Newbie 2 09-19-2005 10:14 AM
[help - emergency] linux sending arp flood princenux Linux - Security 2 12-10-2004 01:36 PM
Denial Of Service Attacks Ozzman Mandriva 13 11-13-2003 12:59 AM
service named can't stop... TAAN Linux - Networking 1 09-11-2003 03:43 AM
ways to protect against denial of service attacks. sundarrnathan Linux - Security 1 06-01-2003 12:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration