[nSLUG] Problems with Eastlink Hosting Multiple IPs on One Network Interface

Dop Ganger nslug at fop.ns.ca
Tue Nov 15 08:35:29 AST 2005


On Mon, 14 Nov 2005, Jim Campbell wrote:

> I would be interested in hearing reports from anybody else out there with a 
> similar network arrangement (Linux 2.4 kernel aliasing static IPs) with 
> Eastlink. Does it work for you?

I have a data connection from Eastlink over fibre at the office with a 
machine running a 2.4 kernel with 10 aliased IPs without any problem. 
However, it's not doing NAT. Running tcpdump on the connection shows next 
to no ARP traffic - just local traffic from the router. On my machine at 
home on a regular cable connection, there's floods of ARP traffic. I 
believe this is mostly down to worm traffic - Eastlink and Aliant are both 
infested with worms that are trying to infect local machines.

The Cyberguard appliance should be ignoring any arps unless they're 
explicitly directed to its IP address. My suspicion is that the Eastlink 
routers are being overloaded by the amount of arp traffic, since a tcpdump 
snippet:

08:24:30.550801 arp who-has 24.222.9.41 tell 24.222.9.1
08:24:30.568189 arp who-has 24.222.177.132 tell 24.222.176.1
08:24:30.569149 arp who-has 24.222.178.130 tell 24.222.176.1
08:24:30.569580 arp who-has 24.222.176.219 tell 24.222.176.1
08:24:30.578300 arp who-has 24.222.9.245 tell 24.222.9.1
08:24:30.596094 arp who-has 192.168.155.93 tell 192.168.155.1
08:24:30.598236 arp who-has 24.222.179.121 tell 24.222.176.1
08:24:30.599132 arp who-has 24.222.9.183 tell 24.222.9.1
08:24:30.602338 arp who-has 24.222.158.117 tell 24.222.156.1
08:24:30.623430 arp who-has 24.222.159.178 tell 24.222.156.1
08:24:30.656985 arp who-has 24.222.9.104 tell 24.222.9.1
08:24:30.703477 arp who-has 192.168.157.251 tell 192.168.157.1
08:24:30.747711 arp who-has 24.222.158.130 tell 24.222.156.1
08:24:30.748164 arp who-has 24.222.9.200 tell 24.222.9.1
08:24:30.772032 arp who-has 192.168.228.106 tell 192.168.228.1
08:24:30.773855 arp who-has 192.168.228.244 tell 192.168.228.1
08:24:30.805471 arp who-has 24.222.159.14 tell 24.222.156.1
08:24:30.816990 arp who-has 24.222.156.73 tell 24.222.156.1
08:24:30.843857 arp who-has 24.222.30.232 tell 24.222.30.1
08:24:30.879858 arp who-has 24.222.9.117 tell 24.222.9.1

shows what looks like pretty much entirely routers (tell *.*.*.1) apart 
from a few misconfigured firewalls (192.168.*.*). This has been going on 
for quite a while, but increasing worm activity has probably started to 
overload the routers. Checking my logs, 64 Eastlink IP addresses 
(24.222.0.0) tried to attack the server on known worm ports yesterday. 
Consider that these 64 machines are running pretty much non-stop trying to 
infect other machines, and there is the probable cause of all the ARP 
requests.

Cheers... Dop.

!DSPAM:4379d619124971395814673!




More information about the nSLUG mailing list