From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 17:18:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A9801065677 for ; Sun, 6 Apr 2008 17:18:32 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from hosted.kievnet.com (hosted.kievnet.com [193.138.144.10]) by mx1.freebsd.org (Postfix) with ESMTP id 4E62F8FC33 for ; Sun, 6 Apr 2008 17:18:32 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from localhost ([127.0.0.1] helo=edge.pp.kiev.ua) by hosted.kievnet.com with esmtpa (Exim 4.62) (envelope-from ) id 1JiXRh-0009Gk-Vx for freebsd-net@freebsd.org; Sun, 06 Apr 2008 19:10:18 +0300 Message-ID: <47F8F5E9.6060303@icyb.net.ua> Date: Sun, 06 Apr 2008 19:10:17 +0300 From: Andriy Gapon User-Agent: Thunderbird 2.0.0.12 (X11/20080320) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: arplookup 10.0.0.68 failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 17:18:32 -0000 My message log is spammed with thousands of the messages like quoted below to the extent that this could be considered some form of an attack. kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network I wasn't there to see how this started, but I was able to monitor a little bit of the process and here are my uneducated guesses. Uneducated because I didn't examine sources yet. There should not be any hosts with 10.0.0.0/24 addresses on this network. There are no special routes for it on my machine, outgoing packets should go to 'default'. I suspect that this was triggered when an offending machine sent an arp response packet (that was unasked for) to my machine saying that 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it broadcast an arp request asking to tell my MAC address to that machine. And I suspect that it tricked the OS into (almost endlessly) trying to do an arp lookup for that 10.0.0.X address. But updating arp table failed for the obvious reason. I saw with tcpdump that my machine indeed sent arp request for 10.0.0.X address. I see two issues here: 1. we should not send arp requests for the addresses that are not supposed to be on the local network(s) 2. there is no way to disable or throttle the log messages -- Andriy Gapon