[22015] in bugtraq
Re: ARPNuke - 80 kb/s kills a whole subnet
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Mon Jul 30 16:54:50 2001
Message-ID: <3B65AB6E.858EBBB@starzetz.de>
Date: Mon, 30 Jul 2001 20:46:06 +0200
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi folks,
even if it seems quite strange to answer to my own mail - there are two
another observations concerning the mentioned vulnerability:
1) after a successfull attack there is another lock up occuring after
the random MAC addresses are flushed from the ARP cache (it takes about
2 minutes) - the Windows machine locks for about 20 seconds, after that
all goes fine again.
2) again, after such a successfull attack, giving arp -a on the command
line results in 100% cpu utilization and nothings gets printed, however
the machine is still responding to ctrl-c.
Both, 1 and 2 are indicators for an ineffective arp table. It must be
emphasized that the mentioned machine lockup is not an artifact of very
high interrupt rates - 2000 packets per seconds should be easily
handled, even by Windows.
sincerly,
Ihq.
