Hi Devrim, You are possibly right, however, I can not see any request coming from the network. I only see arp whois packets originating from local machine to network Broadcast. On Wed, Apr 22, 2009 at 5:32 PM, Devrim SERAL <dseral@xxxxxxxxx> wrote: > > Hi, > Probably you encounter ARP Poisoning or ARP Flooding attack in your network. Several trojans uses these kind attack for infecting or obtain other client private information. > > You must find out infected client to prevent them to overflow arp table.. > > Regards.. > devrim > > > > --- On Wed, 4/22/09, Oguz Yilmaz <oguzyilmazlist@xxxxxxxxx> wrote: > >> From: Oguz Yilmaz <oguzyilmazlist@xxxxxxxxx> >> Subject: arp table overflowing >> To: linux-net@xxxxxxxxxxxxxxx >> Date: Wednesday, April 22, 2009, 11:35 AM >> At the moment in my network, about 1500 users exist. After >> getting >> neighbour table overflow messages, I increase >> net.ipv4.neigh.default.gc_thresh3 to 30000 suddenly I get >> an arp table >> size of 8000 entries. Most of the entries are >> Incomplete-Failed >> entries like "? (10.8.223.31) at <incomplete> on >> eth4" >> >> When I tcpdump on the interface with 10.8 IP subnet: >> # tcpdump -e -i eth4 -nn arp >> 10:18:48.131616 00:15:17:88:e3:b9 > ff:ff:ff:ff:ff:ff, >> ethertype ARP >> (0x0806), length 42: arp who-has 10.8.233.194 tell >> 212.156.156.156 >> 10:18:48.150625 00:15:17:88:e3:b9 > ff:ff:ff:ff:ff:ff, >> ethertype ARP >> (0x0806), length 42: arp who-has 10.8.86.188 tell >> 212.156.156.156 >> ... >> >> Lots of arp whois exist. Interesting thing is all of them >> seems >> originating from my own machine. 00:15:17:88:e3:b9 is the >> mac address >> of eth4 which has 10.8.0.1 IP address. I checked machine >> for any >> scanner. No scanner is running. >> The IP shown as 212.156.156.156 is the IP addresss which is >> on eth1. >> This is also interesting. >> >> some kernel variables are: >> >> net.ipv4.conf.all.arp_accept = 0 >> net.ipv4.conf.all.arp_ignore = 0 >> net.ipv4.conf.all.arp_announce = 0 >> net.ipv4.conf.all.arp_filter = 0 >> net.ipv4.conf.all.proxy_arp = 0 >> >> Can you show me some hint about the problem? >> >> Best Regards, >> >> Oğuz Yılmaz >> -- >> To unsubscribe from this list: send the line >> "unsubscribe linux-net" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at >> http://vger.kernel.org/majordomo-info.html > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
