[LARTC] arp flood (offtopic?)

[LARTC] arp flood (offtopic?)

[Alex]

Hi guys,

Sorry if this is a little offtopic, but I was wandering what can one do to 
prevent/stop arp flooding ?

Thanks,

Alex


-- 
This message has been scanned for viruses and
dangerous content by LG-Network(http://www.lgnet.ro), and is
believed to be clean.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Carl-Daniel Hailfinger]

Hi,

Alex schrieb:
> 
> Sorry if this is a little offtopic, but I was wandering what can one do 
> to prevent/stop arp flooding ?

Shut down the switch port where the machine is attached to. Some managed 
switches can do that automatically once the arp flood starts.

Regards,
Carl-Daniel
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Marek Kierdelewicz]

> Hi guys,

Hi

> 
> Sorry if this is a little offtopic, but I was wandering what can one
> do to  prevent/stop arp flooding ?

You can increase arp cache table size:

echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

It'll make your box handle arpfloods more easily (at least DoS part).

You can also use static arp entries (man arp). This will ensure known
computers will always have access to (throu) your router (even with
arpflood in progress).


Two solutions mentioned above cope with "Neighbour table overflow" and
problems with accessibility to other legitimate users. They
don't cope however with router's cpu utilisation...

Hope that helps.

Marek Kierdelewicz
KoBa ISP
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Alex]

This is what I do to avoid "Neighbor table overflow" :
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
I should mention that I don't get the message Neighbor table overflow, at 
least with these settings, don't know with default.

Now the thing is that the load average goes up to 30 and the gateway doesn't 
even respond to ping after a while.
The arp-requests are not only for ips that are assigned to hosts but even 
for un-allocated ips in the same subnet.

Maybe dividing into multiple vlans would be a better idea?

Regards,

Alex

----- Original Message ----- 
From: "Marek Kierdelewicz" <marek@piasta.pl>
To: <lartc@mailman.ds9a.nl>
Sent: Wednesday, October 19, 2005 9:04 PM
Subject: Re: [LARTC] arp flood (offtopic?)


>> Hi guys,
>
> Hi
>
>>
>> Sorry if this is a little offtopic, but I was wandering what can one
>> do to  prevent/stop arp flooding ?
>
> You can increase arp cache table size:
>
> echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
> echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
> echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
>
> It'll make your box handle arpfloods more easily (at least DoS part).
>
> You can also use static arp entries (man arp). This will ensure known
> computers will always have access to (throu) your router (even with
> arpflood in progress).
>
>
> Two solutions mentioned above cope with "Neighbour table overflow" and
> problems with accessibility to other legitimate users. They
> don't cope however with router's cpu utilisation...
>
> Hope that helps.
>
> Marek Kierdelewicz
> KoBa ISP
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> -- 
> This message has been scanned for viruses and
> dangerous content by LG-Network(http://www.lgnet.ro), and is
> believed to be clean.
>
> 


-- 
This message has been scanned for viruses and
dangerous content by LG-Network(http://www.lgnet.ro), and is
believed to be clean.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Carl-Daniel Hailfinger]

Alex schrieb:
> Now the thing is that the load average goes up to 30 and the gateway 
> doesn't even respond to ping after a while.
> The arp-requests are not only for ips that are assigned to hosts but 
> even for un-allocated ips in the same subnet.

Ah. Classical problem. There are only two realistic explanations for it:
- the source of the arp flood is scanning the local net
- the source of the arp flood has been infected with a virus.
In my experience, only viruses generate real floods, scans are much more 
friendly to the network. So just clean the viruses from the flooding 
machines.

> Maybe dividing into multiple vlans would be a better idea?

Yes, that would somewhat help, but not solve the problem completely. 
Besides, I'd go for fixing the real problem instead of some symptoms.


Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Oscar Mechanic]

Has anyone tried ebtables and the limit target to control the rate

On Thu, 2005-10-20 at 00:09 +0200, Carl-Daniel Hailfinger wrote:
> Alex schrieb:
> > Now the thing is that the load average goes up to 30 and the gateway 
> > doesn't even respond to ping after a while.
> > The arp-requests are not only for ips that are assigned to hosts but 
> > even for un-allocated ips in the same subnet.
> 
> Ah. Classical problem. There are only two realistic explanations for it:
> - the source of the arp flood is scanning the local net
> - the source of the arp flood has been infected with a virus.
> In my experience, only viruses generate real floods, scans are much more 
> friendly to the network. So just clean the viruses from the flooding 
> machines.
> 
> > Maybe dividing into multiple vlans would be a better idea?
> 
> Yes, that would somewhat help, but not solve the problem completely. 
> Besides, I'd go for fixing the real problem instead of some symptoms.
> 
> 
> Regards,
> Carl-Daniel

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] arp flood (offtopic?)

[Peter Surda]

On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" <alex@hostingcenter.ro> wrote:

>Hi guys,
Hi,

>Sorry if this is a little offtopic, but I was wandering what can one do to
>prevent/stop arp flooding ?
As Carl-Daniel already said, the proper way to do this is to clean all the
machines from worms.

I have some tips on how to do this. I am the author of ASPE (Automatic Security
Policy Enforcement), and two of it's modules are quite useful for this:
aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a
part of a whole linux distribution so using it on another distributions isn't
straightforward, but fortunately, you don't have to run ASPE on a router, just
put it on some old box (Pentium I with 64MB RAM and one network card should be
sufficient) somewhere on the LAN.

During the last 2 months there has been a substantial rewrite to make ASPE more
configurable, which had also the effect that it is more complex to setup.
Complete and current configuration docs are available here:
http://docs.shurdix.org/aspe:config , but there are no examples yet which makes
it difficult to understand. There is also a short intro, but only in German:
http://shurdeek.shurdix.org/tmp/ASPE.pdf

So I'll post some info here, I hope people won't mind because in my experience a
lot of sites have this problem and I have been working on ASPE for about 2 years
now so it's been tested in action. It's licensed under GPL.

ASPE works like this: there are modules (4 at the moment) and they detect stuff
(both active and passive) and you can define actions it should do when a certain
amount (per IP) of them occurs. The 2 modules for the mentioned problem are:

aspe.arpflood: detects computers that are looking for computers that don't
exist. It uses PCAP to capture ARP requests. ARP request look like this:
who has A tell B
This tells us 2 things: A is looking for B, and a exists. Next time it sees
something like
who has B tell C
won't be considered as a part of flood because it remembers that B exists (IPs
time out after one day of inactivity)
If a computer has been constantly looking for non-existing computers for a
substantial amount of time (configurable) it is considered to be flooding. It is
able to catch worms that scan the network slowly as well.

aspe.vulncheck: looks for windows computer that are not patched against sasser.
It has very low overhead (both CPU and network), as large parts are passive, but
high effectiveness.

the actions are:
(these work without any requirements):
- send an email to admin
- notify the computer via winpopup
- execute an external program
(these work only when you use Shurdix' user management)
- send an email to the owner of the computer
- block/unblock internet access

If you can hack up a script that blocks the correct switch port, you can use the
"exec", if not, you can use "mailadmin" (the triggers are not exclusive so you
can use both at the same time too). Here is what the config could look like in
your situation:

/etc/syconfig/aspe.vulncheck:
dev=eth0
# don't scan more frequently than once an hour
maxfreq600

action_vulnerable_timeout†400
action_patched_timeout†400

# notify him/her constantly if vulnerable
action_vulnerable_notifyperson_count=*
action_vulnerable_notifyperson_method=winpopup
action_vulnerable_notifyperson_msg=Your computer is vulnerable to the Sasser
Worm. Please visit http://windowsupdate.microsoft.com and update your system.

# thank if patched (don't worry, this will REALLY only be triggered once, not
# everytime the computer connects to the network :-))
action_patched_notifyperson_count=1
action_patched_notifyperson_method=winpopup
action_patched_notifyperson_msg=Thank you for updating your system and keeping
our network safe.

/etc/sysconfig/aspe.arpflood:
#if you want to ignore some computers uncomment next line
#ignore=1.2.3.4

dev=eth0

# 24 hours
action_arp_timeout†400

# 3 per minute
action_arp_mtba 

# after about 10 minutes it's a flood
action_arp_inform_count0
action_arp_inform_method=mailadmin
action_arp_inform_subj=aspe.arpflood report
action_arp_inform_msg=$ip is flooding

# if you have a script that blocks the switch:
action_arp_kickhim_count0
action_arp_kickhim_method=exec
action_arp_kickhim_exec=/root/kickhim.sh $ip

/etc/sysconfig/mail:
sender=who@you.want.the.mails.to.be.coming.from
root­min@email.address
# if you need a relay uncomment following line
#relay=1.2.5.6

For monitoring, grep logs for "aspe", every hit of a defined trigger is logged
(which is usually different from "every occurence of a problem").

I hope it helps and isn't too confusing. If you have questions, I recommend you
post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3 (you can
post in English of course).

>Thanks,
>
>Alex
Yours sincerely,
Peter

-- 
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc