On Tue, Jun 03, 2003 at 11:09:31AM -0600, Tim Gardner wrote: > I have a core 2.4.19 NAT router that creates an ARP storm whenever I receive a > port scan attack from the outside world. The scan attack attempts the same > IP address with different ports. For each attempt, the NAT router generates 5 > ARP requests when the IP address is non-existent. When the scan attack is > lanched simultaneously on multiple addresses and ports, the resulting storm > really loads up my interior WAN links with broadcast noise. > > Short of hacking on the kernel, is there a way to add some hysterysis to ARP > requests? Look at the files in /proc/sys/net/ipv4/neigh/*/. "mcast_solicit", for example, is the number of broadcast attempts made before giving up for a while. You may want to try setting this to 2 or maybe even 1. The default is 3. See "man 7 arp". Simon- [ Simon Kirby ][ Network Operations ] [ sim@netnation.com ][ NetNation Communications Inc. ] [ Opinions expressed are not necessarily those of my employer. ] - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
