Re: Neighbor table overflow. Virus?

---

• From: Tauno Voipio <tauno.voipio@xxxxxxxxxxxxx>
• Date: Tue, 24 Jan 2006 20:56:46 GMT

---

Moe Trin wrote:

On 24 Jan 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1138093069.792509.323560@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, nsa.usa@xxxxxxxxx
wrote:

Sorry if I didn't make that clear. As soon as I disconnect that client
the problem disappears in the server. It is obvious from the ARP table
that hundreds of connections are comming from this client that cannot
be established.

Entries in the ARP tables should only occur for IP addresses that are
local to this computer. Looking at your routing table should show what
the O/S deems to be local.  Are you using some unusual netmasks?

The client is running a windows version by the way.

In theory, sniffing the connection to see WTF it's trying to connect
to might help, as the dialin box isn't using ARP (a ppp connection does
not). This means you can see what address, port, and protocol is trying
to be used.

The ARP tables contain MAC and IP addresses of hosts in the
local subnet and, temporarily, also the attempted accesses
to local subnet non-existent hosts until the ARP times out.

It seems that the client at the PPP connection is attempting
to reach all possible addresses in the local subnet. It might
be a network scan attempt.

The PPP client can imagine being a part of the local Ethernet
subnet, if the PPP router is using proxy ARP.

To verify, a tcpdump/Ethereal trace of the situation could
give the clue.

--

Tauno Voipio
tauno voipio (at) iki fi
.

---

• Follow-Ups:
  • Re: Neighbor table overflow. Virus?
    • From: Moe Trin

• References:
  • Neighbor table overflow. Virus?
    • From: nsa.usa@xxxxxxxxx
  • Re: Neighbor table overflow. Virus?
    • From: Rick Moen
  • Re: Neighbor table overflow. Virus?
    • From: nsa.usa@xxxxxxxxx
  • Re: Neighbor table overflow. Virus?
    • From: Rick Moen
  • Re: Neighbor table overflow. Virus?
    • From: nsa.usa@xxxxxxxxx
  • Re: Neighbor table overflow. Virus?
    • From: Moe Trin

• Prev by Date: Re: How to avoid interrupt sharing ?
• Next by Date: Desktop Firewall or Application-Packetfilter
• Previous by thread: Re: Neighbor table overflow. Virus?
• Next by thread: Re: Neighbor table overflow. Virus?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Neighbor table overflow. Virus? ... As soon as I disconnect that client ... >the problem disappears in the server. ... Entries in the ARP tables should only occur for IP addresses that are ... sniffing the connection to see WTF it's trying to connect ... (comp.os.linux.networking) [PATCH 0/5] [RFC] AF_RXRPC socket family implementation [try #3] ... These patches together supply secure client-side RxRPC connectivity as a Linux ... kernel socket family. ... presentation side is left to the client. ... Each connection goes to a particular "service". ... (Linux-Kernel) [PATCH 0/5] [RFC] AF_RXRPC socket family implementation ... These patches together supply secure client-side RxRPC connectivity as a Linux ... Make it possible for the client socket to be used to go to more than one ... Each connection goes to a particular "service". ... (Linux-Kernel) [PATCH 0/5] [RFC] AF_RXRPC socket family implementation [try #2] ... These patches together supply secure client-side RxRPC connectivity as a Linux ... Make it possible for the client socket to be used to go to more than one ... Each connection goes to a particular "service". ... (Linux-Kernel) Re: Remote Client Configuration ... the client computer to the SBS domain via connect computer wizard remotely. ... local network or via dial up VPN connection, you will use an local copy on ... connection is established, Group Policy is not applied during logon. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)