LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-05-2004, 08:29 AM   #1
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Neighbour table overflow due to windows worm/spyware


Hi everybody

This is a bit offtopic since the problem I have is more of a windows issue but it affects my linux firewall so here it goes:

Starting last Thursday I noticed random network outages on a lan with 5 linux servers and around 100 windows workstations. On the firewall (debian stable) I noticed the logs being flooded with messages "Neighbour table overflow" meaning the arp cache is full. This had a dos effect and it was impossible for any computer to access the internet unless I flushed the cache (after which it took some thirty seconds and it all started to crumble again.)

I tracked the problem down to three windows boxes that were infected with various sorts of worms and spyware. I don't know much about windows and neither seem the people who did the damage assessment on the windows machines so I'm not gonna speculate what type of malware exactly they were infected with. But here's my question: What can I do on the linux server side to prevent this from happening? As a first response I tightened the firewall rules to not allow outgoing connections by default (which it did until now) and installed a transparent squid proxy. Incoming connections were, of course, never allowed by default but I do have a rule that allows ESTABLISHED,RELATED incoming connections. Could this be a problem?

I was thinking of maybe disallowing internet access with the internet explorer but I'm not sure if this will help. Also until now we've be pretty liberal in what type of software people were allowed to use from inside our network. For instance some people brought in their notebooks and happily chatted away on icq, aim, msn messenger and whatnot. Are these type of programs a source of infection as well?

Thanks for any input.

demian
 
Old 10-05-2004, 11:57 AM   #2
fuzzai
Member
 
Registered: Jan 2004
Location: Cold Cold North
Distribution: Slackware 10.2
Posts: 39

Rep: Reputation: 15
i can't help you much, but id like to comment on disabling internet explorer. DO IT

i found that after only using Firefox here at home, ive had hardly no problems..
maybe installing spybot search & destroy on the windows machines, and not allowing IE, woudl probably fix it...i know its solved my problems at home with my little network.

i just basicly installed Firefox. made a shortcut and made the icon IE, so ppl still think there using microsoft. hehe
 
Old 10-06-2004, 01:09 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You'll probably find this site particularly useful, as it describes ARP troubleshooting and manipulation. It's interesting that the ARP cache is actually being flooded, because that would indicate that the malware on the host is either causing it to change it's MAC address repeatedly, or (probably more likely) it's spoofing it's IP address very rapidly.

One thing you could do is monitor your ARP cache and see if the same MAC address shows up for multiple IP addresses (obviously this cannot include MAC addresses of routers, or other devices that have legitimate reasons to proxy ARP). Your monitor script could send an e-mail or another type of alert to an administrator so the machine in question can be isolated and removed from the network.

It's also probably a good idea to come up with a plan to record the MAC address of every host on your network and where that host is located, that way you'll know where to find an offending machine if it starts acting up.
 
Old 10-06-2004, 07:53 AM   #4
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by chort
[B]You'll probably find this site particularly useful, as it describes ARP troubleshooting and manipulation. It's interesting that the ARP cache is actually being flooded, because that would indicate that the malware on the host is either causing it to change it's MAC address repeatedly, or (probably more likely) it's spoofing it's IP address very rapidly.
That is useful indeed. Thanks. I was somewhat surprised about the arp cache being affected as well. First thing I suspected was some kind of arp spoofing attack from the outside but then I unplugged the uplink network cable and the problem persisted. I also suspect IP spoofing going on here although I fail to see what for. I saved one infected machine from the windows people who just reinstalled from scratch without even analysing what really caused the problem So I'm gonna try and set up an isolated test network on the weekend and see if I can find out more.

Setting up a script to monitor for mac address changes sounds like a plan but I guess I will have to have it ignore any IP that reports more than one mac address and is not a router immediately cause the dos effect kicks in about thirty seconds after the infected box is connected to the network.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Neighbour table Overflow myguest Linux - Security 5 08-19-2010 12:44 AM
neighbour table overflow hammadrs Linux - Software 4 02-24-2006 03:48 PM
"Neighbour table overflow." blocking internet Riddick Linux - Networking 5 11-17-2005 02:40 PM
kernel: Neighbour table overflow basbosco Linux - Software 0 06-19-2004 03:24 AM
net: 70 messages suppressed; neighbour table overflow is the message, only problem techguy2 Linux - Networking 0 10-03-2003 07:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration