Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-11-2005, 08:53 AM
|
#1
|
|
LQ Newbie
Registered: Jul 2004
Distribution: Debian 2.4.18
Posts: 19
Rep: 
|
how to stop arp Denial of service/flood?
I have a Debian stable, with a 2.6.10 kernel in a network of 600 computers.
There are some people with viruses that generate a lot of arp requests. In iptraf I can see 20-50kbytes/s broadcast traffic.
In tcpdump I can see that the same mac requests lots of IPs:
15:21:50.287420 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.110.26 tell 10.1.4.58
15:21:50.287448 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.22.28 tell 10.1.4.58
15:21:50.287472 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.235.79 tell 10.1.4.58
15:21:50.290032 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.42.19 tell 10.1.4.58
15:21:50.290258 00:01:02:dd:2e:b7 > Broadcast, ethertype IPv4 (0x0800), length 243: IP 10.1.4.51.netbios-dgm > 10.1.255.255.netbios-dgm: NBT UDP PACKET(138)
15:21:50.290333 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.157 tell 10.1.4.99
15:21:50.291312 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.143.179 tell 10.1.4.99
15:21:50.291352 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.89.164 tell 10.1.4.99
15:21:50.291376 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.247.246 tell 10.1.4.58
15:21:50.302296 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.179.78 tell 10.1.4.58
15:21:50.307294 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.37.28 tell 10.1.4.99
15:21:50.308974 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.131 tell 10.1.4.58
15:21:50.310219 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.80.199 tell 10.1.4.99
15:21:50.312246 00:0c:76:b4:7f:31 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.14 tell 10.1.4.99
15:21:50.314308 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.102.62 tell 10.1.4.58
15:21:50.316063 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.117.3 tell 10.1.4.58
15:21:50.317737 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.196.166 tell 10.1.4.58
15:21:50.320423 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.167.166 tell 10.1.4.58
15:21:50.320462 00:04:76:0b:23:50 > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.1.4.7 tell 10.1.4.58
The server ping response is horrible - the majority of time - request timed out, in putty I write and I wait 10 seconds to see something.
I need to provide internet to 50 people. I put in /etc/ethers the macs and Ips of them and I loaded them in the arp cache to be permanent.
What to do to stop this?
I tried ifconfig eth0 -arp (eth0 - my lan card - it didn't work)
I tried to increase the /proc/sys/ipv4/neigh/default/gc_threshold3 to 65535 - it didn't work
I tried to use arptables and didn't succeded.
In my firewall the only INPUT ports opened are 22,80,411,412,1723
Thank you in advance!
|
|
|
|
|
09-11-2005, 03:15 PM
|
#2
|
|
Member
Registered: Jun 2005
Location: q3dm7
Distribution: Mandriva 2010.0 x86_64
Posts: 338
Rep: 
|
You can't stop them sending traffic - all you can do is filter it.
How about sending an email to all users saying network performance is degraded due to a number of viruses on workstations and that from tomorrow you will cutting off internet access to the IP addresses generating suspicious traffic? When you start cutting off access and the complaints start arriving, you can reenable on a per-IP basis on condition that they immediately install and run antivirus/antispyware.
|
|
|
|
|
09-13-2005, 08:58 AM
|
#3
|
|
LQ Newbie
Registered: Jul 2004
Distribution: Debian 2.4.18
Posts: 19
Original Poster
Rep:
|
Yes the question is how to filter it, or how to do something so my server will ignore it, mantaining functionality.
Your approach is ok - thank you, but I am in a network of networks and there are other providers who need to do the same thing, and it seems they do this but slowly. Another thing is there are people in the network who don't have internet access, but they are making flood, and we can't force them easyly to stop it.
This is why I need a way to protect my server in this jungle.
Thank you in advance!
|
|
|
|
|
09-13-2005, 03:26 PM
|
#4
|
|
Member
Registered: Jan 2002
Distribution: CentOS 3.1
Posts: 119
Rep:
|
The provider will need to filter it on the switch. ARP's are broadcast which means everyone in the same netwrok segment will receive them.
|
|
|
|
|
06-13-2013, 03:14 AM
|
#5
|
|
LQ Newbie
Registered: Jun 2013
Posts: 1
Rep: 
|
And what if the isp dont care
Hi
Sorry to bump up such an old topic but this is the proper place to post this. I have the same thing going on with my fiber isp. Requests keep flooding my lan from the fiber end because of their mis-configured network:
10:07:00.697314 ARP, Request who-has 10.65.192.1 tell 10.65.210.249, length 46
10:07:00.738245 ARP, Request who-has 10.65.192.1 tell 10.65.212.136, length 46
10:07:00.847793 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:00.919911 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:00.946800 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:00.992946 ARP, Request who-has 172.30.10.30 tell 10.65.212.29, length 46
10:07:01.001945 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:01.031322 ARP, Request who-has 10.65.248.173 tell 10.65.192.1, length 46
10:07:01.123676 ARP, Request who-has 10.65.192.1 tell 10.65.220.8, length 46
10:07:01.194263 ARP, Request who-has 10.65.234.153 tell 10.65.192.1, length 46
10:07:01.342237 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:01.371685 ARP, Request who-has 172.30.10.20 tell 10.65.198.255, length 46
10:07:01.671385 ARP, Request who-has 10.65.192.173 tell 10.65.192.1, length 46
10:07:01.829045 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:01.849716 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:01.940719 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
10:07:02.001800 ARP, Request who-has 172.30.10.20 tell 10.65.192.254, length 46
10:07:02.008443 ARP, Request who-has 10.65.192.1 tell 10.65.212.125, length 46
10:07:02.205704 ARP, Request who-has 10.65.242.201 tell 10.65.242.201, length 46
10:07:02.286321 ARP, Request who-has 10.65.223.234 (d0:15:4a:09:09:18) tell 10.65.192.1, length 46
10:07:02.321873 ARP, Request who-has 172.30.10.20 tell 10.65.209.152, length 46
10:07:02.828438 ARP, Request who-has 172.30.10.30 tell 10.65.214.67, length 46
10:07:02.828901 ARP, Request who-has 10.65.192.1 tell 10.65.219.219, length 46
10:07:02.849985 ARP, Request who-has 10.2.0.230 tell 10.2.0.21, length 46
10:07:02.940290 ARP, Request who-has 10.65.250.244 tell 10.65.216.106, length 46
This generates a constant 21K/sec packet stream on my network and it pushed out on the wireless interface too. I tried everything to disable it for interfaces:
echo 8 > /proc/sys/net/ipv4/conf/ppp258/arp_ignore
echo 8 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
ifconfig eth0 -arp
ifconfig ppp258 -arp
but it still flowing in to my network. What is the right way to disable these?
I cannot use arptables because the router only have a micro linux distribution on it which doesn't have it.
Thank you!
|
|
|
|
All times are GMT -5. The time now is 12:49 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
