Date: Mon, 7 Apr 2008 08:59:23 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Andriy Gapon <avg@icyb.net.ua> Cc: freebsd-net@freebsd.org Subject: Re: arplookup 10.0.0.68 failed: host is not on local network Message-ID: <20080407085923.42271757.wmoran@collaborativefusion.com> In-Reply-To: <47F8F5E9.6060303@icyb.net.ua> References: <47F8F5E9.6060303@icyb.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to Andriy Gapon <avg@icyb.net.ua>: > My message log is spammed with thousands of the messages like quoted > below to the extent that this could be considered some form of an attack. > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > > I wasn't there to see how this started, but I was able to monitor a > little bit of the process and here are my uneducated guesses. Uneducated > because I didn't examine sources yet. > > There should not be any hosts with 10.0.0.0/24 addresses on this > network. There are no special routes for it on my machine, outgoing > packets should go to 'default'. > > I suspect that this was triggered when an offending machine sent an arp > response packet (that was unasked for) to my machine saying that > 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it That prefix belongs to Epox Computers. Any Epox motherboards on your network? > broadcast an arp request asking to tell my MAC address to that machine. > And I suspect that it tricked the OS into (almost endlessly) trying to > do an arp lookup for that 10.0.0.X address. But updating arp table > failed for the obvious reason. I saw with tcpdump that my machine indeed > sent arp request for 10.0.0.X address. > > I see two issues here: > 1. we should not send arp requests for the addresses that are not > supposed to be on the local network(s) > 2. there is no way to disable or throttle the log messages I suspect this is operator error. You mention no details about your local network, but I would guess that you have two separate IP ranges on a single segment. Has the "attack" ended? If not, grab some tcpdumps and see who's actually sending those packets. What IP address does this machine have? What's the network like that it's connected to? -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080407085923.42271757.wmoran>