[nSLUG] Getting CPU cycles during an ARP storm

Stephen Gregory nslug at kernelpanic.ca
Sun Sep 18 18:55:56 ADT 2005

Donald Teed wrote:
> Some options are to replace the software firewall with a hardware one,
> or to run a multiple CPU system 

Hardware firewalls are a myth. All firewalls are software. All those 
Linksys boxes are just linux on a 150 to 400 MHz cpu.

Dual cpus can help, however in your case the pci bus may have been close 
to saturation so no ammount of cpu power would have help. A dedicated 
firewall would have helped. It should packet filter only, no proxies, 
and limits set on the ammount of logging. A single cpu linux box would 
be sufficient.

I am a little concerned that you saw a large volume of arp requests, and 
that those requests caused a denial of service. Arp is a local network 
protocol so such an attack would indicate a local attack. Arp should 
also be handled by the network card. And should not slow down the 
system. The only way an arp storm would impact the cpu is the network 
card was in promiscuous mode.



More information about the nSLUG mailing list