[nSLUG] Getting CPU cycles during an ARP storm

Donald Teed donald.teed at gmail.com
Sun Sep 18 18:10:28 ADT 2005


I have not learned yet what it was - it might have been some
DDOS virus or whatnot - perhaps something that
mapped a network. Or it might have been a driver
or hardware gone bezerck. If I remember right, I saw
17,000 packets/sec in ethereal and about 70% of
those were arp - some legit and most not.

On 9/18/05, Jason Kenney <jason at ohm.ath.cx> wrote:
> 
> Hmm.
> 
> The only type of attacks I am familiar with involving lots of arp packets
> are arp cache poisoning ones. I would be much more concerned about that,
> then a performance hit, but I think they only send arp packets about
> 1/second anyway, so maybe it is something else entirely.
> 
> 
> Jason
> 
> On Sun, 18 Sep 2005, Donald Teed wrote:
> 
> > I recently saw a network hit by some sort of arp flood. It was 
> noticeable
> > on both Windows and Linux desktop machines running local firewalls,
> > as the CPU cycles were hit moderately hard and it made
> > the Windowing and I/O interface less responsive. I suspect it was
> > software firewalls that which made the system load rise.
> >
> > I'd like to consider the various ways of making a system less
> > vulnerable to a performance hit like this.
> >
> > Some options are to replace the software firewall with a hardware one,
> > or to run a multiple CPU system so that one CPU takes on the firewalling
> > tasks. Does anyone have additional suggestions on how to allow
> > a system to remain useable throughout an ARP storm while
> > retaining a firewall?
> >
> >
> >
> >
> >
> >
> >
> 
> 
> 
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
> 
> 
> 
>


!DSPAM:432dd7c561321392520567!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20050918/0e44ec11/attachment-0002.html>


More information about the nSLUG mailing list