[nSLUG] Problems with Eastlink Hosting Multiple IPs on One Network Interface

Dop Ganger nslug at fop.ns.ca
Tue Nov 15 08:35:29 AST 2005

On Mon, 14 Nov 2005, Jim Campbell wrote:

> I would be interested in hearing reports from anybody else out there with a 
> similar network arrangement (Linux 2.4 kernel aliasing static IPs) with 
> Eastlink. Does it work for you?

I have a data connection from Eastlink over fibre at the office with a 
machine running a 2.4 kernel with 10 aliased IPs without any problem. 
However, it's not doing NAT. Running tcpdump on the connection shows next 
to no ARP traffic - just local traffic from the router. On my machine at 
home on a regular cable connection, there's floods of ARP traffic. I 
believe this is mostly down to worm traffic - Eastlink and Aliant are both 
infested with worms that are trying to infect local machines.

The Cyberguard appliance should be ignoring any arps unless they're 
explicitly directed to its IP address. My suspicion is that the Eastlink 
routers are being overloaded by the amount of arp traffic, since a tcpdump 

08:24:30.550801 arp who-has tell
08:24:30.568189 arp who-has tell
08:24:30.569149 arp who-has tell
08:24:30.569580 arp who-has tell
08:24:30.578300 arp who-has tell
08:24:30.596094 arp who-has tell
08:24:30.598236 arp who-has tell
08:24:30.599132 arp who-has tell
08:24:30.602338 arp who-has tell
08:24:30.623430 arp who-has tell
08:24:30.656985 arp who-has tell
08:24:30.703477 arp who-has tell
08:24:30.747711 arp who-has tell
08:24:30.748164 arp who-has tell
08:24:30.772032 arp who-has tell
08:24:30.773855 arp who-has tell
08:24:30.805471 arp who-has tell
08:24:30.816990 arp who-has tell
08:24:30.843857 arp who-has tell
08:24:30.879858 arp who-has tell

shows what looks like pretty much entirely routers (tell *.*.*.1) apart 
from a few misconfigured firewalls (192.168.*.*). This has been going on 
for quite a while, but increasing worm activity has probably started to 
overload the routers. Checking my logs, 64 Eastlink IP addresses 
( tried to attack the server on known worm ports yesterday. 
Consider that these 64 machines are running pretty much non-stop trying to 
infect other machines, and there is the probable cause of all the ARP 

Cheers... Dop.


More information about the nSLUG mailing list