[11987] in bugtraq
Re: Nmap and Cisco Dos, clarification --
daemon@ATHENA.MIT.EDU (Darren Reed)
Sun Sep 26 01:24:47 1999
Content-Type: text
Message-Id: <199909240114.LAA07962@cheops.anu.edu.au>
Date: Fri, 24 Sep 1999 11:14:20 +1000
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: LancashireA@SUTTERHEALTH.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E96A622162DED211831F0008C75DDD7B011BB5AC@gpsc1dx.sutterhealth.org> from "Lancashire, Andrew" at Sep 22,
99 01:44:23 pm
In some mail from Lancashire, Andrew, sie said:
>
> This is to clarify what is being put out by Cisco and what we are being told
> by Cisco.
>
> Two e-mails below is what Cisco is telling us and makes allot more sense
> than what Cisco is telling Bugtraq. The last post to Bugtraq made mention
> that the arp cache was filling up and allocating memory for both reachable
> hosts and unreachable hosts (incompletes). Although what Lisa describes is
> true regarding the arp cache, it would not be true for our or most other
> sane persons environment. Since routers will only arp for what is local,
> that would mean that for the arp cache to fill up and us all the memory all
> networks in the 10.x.x.x range would need to be local. So that's not gonna
> happen but if you read the e-mail below that from Kenny (also at Cisco ) his
> explanation makes allot more sense considering we have hundreds of routers.
This may or may not be relevant, but Cisco allow you to set up routes via
interfaces and in routing packets via that interface, they ARP for the
destination IP address, relying on proxy ARP to get anwers. I've not
studied this in detail, but it conceivably leads to a situation where
with a big scan, you can end up with a large ARP cache even on a crossover
connecting a /30 subnet between two routers.
Darren
