Date: Sun, 06 Apr 2008 19:10:17 +0300 From: Andriy Gapon <avg@icyb.net.ua> To: freebsd-net@freebsd.org Subject: arplookup 10.0.0.68 failed: host is not on local network Message-ID: <47F8F5E9.6060303@icyb.net.ua>
next in thread | raw e-mail | index | archive | help
My message log is spammed with thousands of the messages like quoted below to the extent that this could be considered some form of an attack. kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network I wasn't there to see how this started, but I was able to monitor a little bit of the process and here are my uneducated guesses. Uneducated because I didn't examine sources yet. There should not be any hosts with 10.0.0.0/24 addresses on this network. There are no special routes for it on my machine, outgoing packets should go to 'default'. I suspect that this was triggered when an offending machine sent an arp response packet (that was unasked for) to my machine saying that 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it broadcast an arp request asking to tell my MAC address to that machine. And I suspect that it tricked the OS into (almost endlessly) trying to do an arp lookup for that 10.0.0.X address. But updating arp table failed for the obvious reason. I saw with tcpdump that my machine indeed sent arp request for 10.0.0.X address. I see two issues here: 1. we should not send arp requests for the addresses that are not supposed to be on the local network(s) 2. there is no way to disable or throttle the log messages -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F8F5E9.6060303>