Neighbor table overflow. Virus?
- From: "nsa.usa@xxxxxxxxx" <nsa.usa@xxxxxxxxx>
- Date: 23 Jan 2006 01:02:46 -0800
Hi,
Can a virus/spyware on a dialup link cause 'Neighbor table overflow"
in the access-server?
I run a small ISP which has dialup-clients. I run stock RH 9 on our
access-server (10 dial-in lines) and every once in a while I suddenly
get thousands of 'Neighbor table overflow" messages in the mesages log
and while that's happening I can't establish new connections.
The ARP table is also full of hunddreds of unconnected connections.
When this happens (maybe 4-5 times now over 1 year timespan) I track it
down to a user on dial-up whos' spewing out ARP requests or making
hundreds of connections. And when I kick that user off the problem is
solved (its a different user every time).
However, I would like to build in some protection against this.
I have changed /proc/sys/net/ipv4/ip_conntrack_max to 65528
But this helps little if any.
Values of /proc/sys/net/ipv4/neigh/default/gc_thresh1 is: 128
Values of /proc/sys/net/ipv4/neigh/default/gc_thresh2 is: 512
Values of /proc/sys/net/ipv4/neigh/default/gc_thresh3 is: 1024
Should I change those values and to what?
I'm also using iptables, how can I use this to restrict new
connections? what would be resonable values?
And finally, does anybody know what virus/malware is causing this?
Thanks!
Regards,
Tobias Skytte
.
- Follow-Ups:
- Re: Neighbor table overflow. Virus?
- From: Rick Moen
- Re: Neighbor table overflow. Virus?
- Prev by Date: Re: network problem when suspending
- Next by Date: Re: Neighbor table overflow. Virus?
- Previous by thread: Wifi a no-go, old WinICS maybe?
- Next by thread: Re: Neighbor table overflow. Virus?
- Index(es):
Relevant Pages
|
