Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Apr 2008 08:59:23 -0400
From:      Bill Moran <wmoran@collaborativefusion.com>
To:        Andriy Gapon <avg@icyb.net.ua>
Cc:        freebsd-net@freebsd.org
Subject:   Re: arplookup 10.0.0.68 failed: host is not on local network
Message-ID:  <20080407085923.42271757.wmoran@collaborativefusion.com>
In-Reply-To: <47F8F5E9.6060303@icyb.net.ua>
References:  <47F8F5E9.6060303@icyb.net.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
In response to Andriy Gapon <avg@icyb.net.ua>:

> My message log is spammed with thousands of the messages like quoted
> below to the extent that this could be considered some form of an attack.
> kernel: arplookup 10.0.0.68 failed: host is not on local network
> kernel: arplookup 10.0.0.6 failed: host is not on local network
> kernel: arplookup 10.0.0.68 failed: host is not on local network
> kernel: arplookup 10.0.0.6 failed: host is not on local network
> 
> I wasn't there to see how this started, but I was able to monitor a
> little bit of the process and here are my uneducated guesses. Uneducated
> because I didn't examine sources yet.
> 
> There should not be any hosts with 10.0.0.0/24 addresses on this
> network. There are no special routes for it on my machine, outgoing
> packets should go to 'default'.
> 
> I suspect that this was triggered when an offending machine sent an arp
> response packet (that was unasked for) to my machine saying that
> 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it

That prefix belongs to Epox Computers.  Any Epox motherboards on your
network?

> broadcast an arp request asking to tell my MAC address to that machine.
> And I suspect that it tricked the OS into (almost endlessly) trying to
> do an arp lookup for that 10.0.0.X address. But updating arp table
> failed for the obvious reason. I saw with tcpdump that my machine indeed
> sent arp request for 10.0.0.X address.
> 
> I see two issues here:
> 1. we should not send arp requests for the addresses that are not
> supposed to be on the local network(s)
> 2. there is no way to disable or throttle the log messages

I suspect this is operator error.  You mention no details about your
local network, but I would guess that you have two separate IP ranges
on a single segment.  Has the "attack" ended?  If not, grab some tcpdumps
and see who's actually sending those packets.

What IP address does this machine have?  What's the network like that
it's connected to?

-- 
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/

wmoran@collaborativefusion.com
Phone: 412-422-3463x4023



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080407085923.42271757.wmoran>