[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Source MAC Address DoS
----- Original Message -----
From: "GertJan Spoelman" <nobody@xxxxxxxxxxxxxxxxx>
Sent: Friday, May 09, 2003 2:59 AM
Subject: Re: [suse-security] Source MAC Address DoS
> On Thursday 08 May 2003 10:28, jiade wrote:
> > I got arp storm in my network(30 PCs and some WLAN devices),
> > about 10,000 arp requests per second, no responses,lasting
> > for severalminutes,all these arp requests have the same content
> > which looks very strange:
> > SRC DST info
> > 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell
> > 192.168.1.188
> > it's an arp request but the DST is not a broadcast,
> > and the DST is a real MAC address of one of my netcards
> > while the SRC is a fake one.
> > This happens several times a day but not regularly.
> > Who will send millions of this kind of arp requests?
> > Later I captured these packets and replayed this storm at
> > no matter what kind of upper level protocol stuff (ARP,UDP or
> > somethingelse) I filled in these packets ,they will jam up the Linux box
> > whose MAC address is the same as the SOURCE (not the destination) MAC
> > address of these packets.
> First you say the SRC is fake and now you say it locks up the SRC or did
> also replace the SRC address?
Sorry, I've made a mistake, the SRC is real but the DST is fake.
> > When I change the packets'source MAC address with the destination MAC
> > address,the Linux box works well.I don't know the reason.
> > Need your help, thanks.
> Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could
> be that it comes from the same NIC maybe it has some weird hardware
> first thing I would do is replace that NIC.
I did replace the NIC, but it was the same, the storm packets' SRC and DST
addresses still differ 1 bit or 2.
> Email address is invalid, so don't reply directly, I'm on the list.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here