Hi guys, Sorry if this is a little offtopic, but I was wandering what can one do to prevent/stop arp flooding ? Thanks, Alex -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean.
Hi, Alex schrieb:> > Sorry if this is a little offtopic, but I was wandering what can one do > to prevent/stop arp flooding ?Shut down the switch port where the machine is attached to. Some managed switches can do that automatically once the arp flood starts. Regards, Carl-Daniel
> Hi guys,Hi> > Sorry if this is a little offtopic, but I was wandering what can one > do to prevent/stop arp flooding ?You can increase arp cache table size: echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 It''ll make your box handle arpfloods more easily (at least DoS part). You can also use static arp entries (man arp). This will ensure known computers will always have access to (throu) your router (even with arpflood in progress). Two solutions mentioned above cope with "Neighbour table overflow" and problems with accessibility to other legitimate users. They don''t cope however with router''s cpu utilisation... Hope that helps. Marek Kierdelewicz KoBa ISP
This is what I do to avoid "Neighbor table overflow" : echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 I should mention that I don''t get the message Neighbor table overflow, at least with these settings, don''t know with default. Now the thing is that the load average goes up to 30 and the gateway doesn''t even respond to ping after a while. The arp-requests are not only for ips that are assigned to hosts but even for un-allocated ips in the same subnet. Maybe dividing into multiple vlans would be a better idea? Regards, Alex ----- Original Message ----- From: "Marek Kierdelewicz" <marek@piasta.pl> To: <lartc@mailman.ds9a.nl> Sent: Wednesday, October 19, 2005 9:04 PM Subject: Re: [LARTC] arp flood (offtopic?)>> Hi guys, > > Hi > >> >> Sorry if this is a little offtopic, but I was wandering what can one >> do to prevent/stop arp flooding ? > > You can increase arp cache table size: > > echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > > It''ll make your box handle arpfloods more easily (at least DoS part). > > You can also use static arp entries (man arp). This will ensure known > computers will always have access to (throu) your router (even with > arpflood in progress). > > > Two solutions mentioned above cope with "Neighbour table overflow" and > problems with accessibility to other legitimate users. They > don''t cope however with router''s cpu utilisation... > > Hope that helps. > > Marek Kierdelewicz > KoBa ISP > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > This message has been scanned for viruses and > dangerous content by LG-Network(http://www.lgnet.ro), and is > believed to be clean. > >-- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean.
Alex schrieb:> Now the thing is that the load average goes up to 30 and the gateway > doesn''t even respond to ping after a while. > The arp-requests are not only for ips that are assigned to hosts but > even for un-allocated ips in the same subnet.Ah. Classical problem. There are only two realistic explanations for it: - the source of the arp flood is scanning the local net - the source of the arp flood has been infected with a virus. In my experience, only viruses generate real floods, scans are much more friendly to the network. So just clean the viruses from the flooding machines.> Maybe dividing into multiple vlans would be a better idea?Yes, that would somewhat help, but not solve the problem completely. Besides, I''d go for fixing the real problem instead of some symptoms. Regards, Carl-Daniel -- http://www.hailfinger.org/
Has anyone tried ebtables and the limit target to control the rate On Thu, 2005-10-20 at 00:09 +0200, Carl-Daniel Hailfinger wrote:> Alex schrieb: > > Now the thing is that the load average goes up to 30 and the gateway > > doesn''t even respond to ping after a while. > > The arp-requests are not only for ips that are assigned to hosts but > > even for un-allocated ips in the same subnet. > > Ah. Classical problem. There are only two realistic explanations for it: > - the source of the arp flood is scanning the local net > - the source of the arp flood has been infected with a virus. > In my experience, only viruses generate real floods, scans are much more > friendly to the network. So just clean the viruses from the flooding > machines. > > > Maybe dividing into multiple vlans would be a better idea? > > Yes, that would somewhat help, but not solve the problem completely. > Besides, I''d go for fixing the real problem instead of some symptoms. > > > Regards, > Carl-Daniel
On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" <alex@hostingcenter.ro> wrote:>Hi guys,Hi,>Sorry if this is a little offtopic, but I was wandering what can one do to >prevent/stop arp flooding ?As Carl-Daniel already said, the proper way to do this is to clean all the machines from worms. I have some tips on how to do this. I am the author of ASPE (Automatic Security Policy Enforcement), and two of it''s modules are quite useful for this: aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a part of a whole linux distribution so using it on another distributions isn''t straightforward, but fortunately, you don''t have to run ASPE on a router, just put it on some old box (Pentium I with 64MB RAM and one network card should be sufficient) somewhere on the LAN. During the last 2 months there has been a substantial rewrite to make ASPE more configurable, which had also the effect that it is more complex to setup. Complete and current configuration docs are available here: http://docs.shurdix.org/aspe:config , but there are no examples yet which makes it difficult to understand. There is also a short intro, but only in German: http://shurdeek.shurdix.org/tmp/ASPE.pdf So I''ll post some info here, I hope people won''t mind because in my experience a lot of sites have this problem and I have been working on ASPE for about 2 years now so it''s been tested in action. It''s licensed under GPL. ASPE works like this: there are modules (4 at the moment) and they detect stuff (both active and passive) and you can define actions it should do when a certain amount (per IP) of them occurs. The 2 modules for the mentioned problem are: aspe.arpflood: detects computers that are looking for computers that don''t exist. It uses PCAP to capture ARP requests. ARP request look like this: who has A tell B This tells us 2 things: A is looking for B, and a exists. Next time it sees something like who has B tell C won''t be considered as a part of flood because it remembers that B exists (IPs time out after one day of inactivity) If a computer has been constantly looking for non-existing computers for a substantial amount of time (configurable) it is considered to be flooding. It is able to catch worms that scan the network slowly as well. aspe.vulncheck: looks for windows computer that are not patched against sasser. It has very low overhead (both CPU and network), as large parts are passive, but high effectiveness. the actions are: (these work without any requirements): - send an email to admin - notify the computer via winpopup - execute an external program (these work only when you use Shurdix'' user management) - send an email to the owner of the computer - block/unblock internet access If you can hack up a script that blocks the correct switch port, you can use the "exec", if not, you can use "mailadmin" (the triggers are not exclusive so you can use both at the same time too). Here is what the config could look like in your situation: /etc/syconfig/aspe.vulncheck: dev=eth0 # don''t scan more frequently than once an hour maxfreq=3600 action_vulnerable_timeout=86400 action_patched_timeout=86400 # notify him/her constantly if vulnerable action_vulnerable_notifyperson_count=* action_vulnerable_notifyperson_method=winpopup action_vulnerable_notifyperson_msg=Your computer is vulnerable to the Sasser Worm. Please visit http://windowsupdate.microsoft.com and update your system. # thank if patched (don''t worry, this will REALLY only be triggered once, not # everytime the computer connects to the network :-)) action_patched_notifyperson_count=1 action_patched_notifyperson_method=winpopup action_patched_notifyperson_msg=Thank you for updating your system and keeping our network safe. /etc/sysconfig/aspe.arpflood: #if you want to ignore some computers uncomment next line #ignore=1.2.3.4 dev=eth0 # 24 hours action_arp_timeout=86400 # 3 per minute action_arp_mtba=20 # after about 10 minutes it''s a flood action_arp_inform_count=30 action_arp_inform_method=mailadmin action_arp_inform_subj=aspe.arpflood report action_arp_inform_msg=$ip is flooding # if you have a script that blocks the switch: action_arp_kickhim_count=30 action_arp_kickhim_method=exec action_arp_kickhim_exec=/root/kickhim.sh $ip /etc/sysconfig/mail: sender=who@you.want.the.mails.to.be.coming.from root=admin@email.address # if you need a relay uncomment following line #relay=1.2.5.6 For monitoring, grep logs for "aspe", every hit of a defined trigger is logged (which is usually different from "every occurence of a problem"). I hope it helps and isn''t too confusing. If you have questions, I recommend you post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3 (you can post in English of course).>Thanks, > >AlexYours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls