From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 13:09:42 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D71C41065675 for ; Mon, 7 Apr 2008 13:09:42 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 9CB568FC1A for ; Mon, 7 Apr 2008 13:09:42 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Mon, 07 Apr 2008 09:00:06 -0400 id 00056453.47FA1AD6.0000686F Date: Mon, 7 Apr 2008 08:59:23 -0400 From: Bill Moran To: Andriy Gapon Message-Id: <20080407085923.42271757.wmoran@collaborativefusion.com> In-Reply-To: <47F8F5E9.6060303@icyb.net.ua> References: <47F8F5E9.6060303@icyb.net.ua> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.8; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: arplookup 10.0.0.68 failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 13:09:42 -0000 In response to Andriy Gapon : > My message log is spammed with thousands of the messages like quoted > below to the extent that this could be considered some form of an attack. > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > > I wasn't there to see how this started, but I was able to monitor a > little bit of the process and here are my uneducated guesses. Uneducated > because I didn't examine sources yet. > > There should not be any hosts with 10.0.0.0/24 addresses on this > network. There are no special routes for it on my machine, outgoing > packets should go to 'default'. > > I suspect that this was triggered when an offending machine sent an arp > response packet (that was unasked for) to my machine saying that > 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it That prefix belongs to Epox Computers. Any Epox motherboards on your network? > broadcast an arp request asking to tell my MAC address to that machine. > And I suspect that it tricked the OS into (almost endlessly) trying to > do an arp lookup for that 10.0.0.X address. But updating arp table > failed for the obvious reason. I saw with tcpdump that my machine indeed > sent arp request for 10.0.0.X address. > > I see two issues here: > 1. we should not send arp requests for the addresses that are not > supposed to be on the local network(s) > 2. there is no way to disable or throttle the log messages I suspect this is operator error. You mention no details about your local network, but I would guess that you have two separate IP ranges on a single segment. Has the "attack" ended? If not, grab some tcpdumps and see who's actually sending those packets. What IP address does this machine have? What's the network like that it's connected to? -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023