ARPNuke - 80 kb/s kills a whole subnet

From: Paul Starzetz (paulat_private)
Date: Mon Jul 30 2001 - 01:42:30 PDT

Next message: Michal Zalewski: "[RAZOR] Linux kernel IP masquerading vulnerability"

Previous message: Aaron Whiteman: "Re: TXT or HTML? -- IE NEW BUG"
Next in thread: Raptor: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Reply: Raptor: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Reply: Paul Starzetz: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi ppl,

It is time for a new ´nuke´ - ARPNuke.

There is an ARP table handling bug in Microsoft Windows protocoll
stacks. It seems that the arp handling code uses some inefficient data
structure (maybe a simple linear table?) to manage the ARP entries.
Sending a huge amount of ´random´ (that is random source IP and
arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
lock up. The machine wakes up after the packets stream has been stopped.

The needed traffic is not really high: the attached ARPkill code will
send an initial sequence of about 10000 ARP packets, then go to ´burst
mode´ sending definable short burst of random ARP packets every 10 msec.
The lockup occured at about 80kb/sec (seq about 45) on a PII/350.

Even worse: it seems that is possible to kill a whole subnet using
broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
source IP.


regards,

Ihq.

application/x-gzip attachment: arpkill.tar.gz

Next message: Michal Zalewski: "[RAZOR] Linux kernel IP masquerading vulnerability"
Previous message: Aaron Whiteman: "Re: TXT or HTML? -- IE NEW BUG"
Next in thread: Raptor: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Reply: Raptor: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Reply: Paul Starzetz: "Re: ARPNuke - 80 kb/s kills a whole subnet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 07:57:20 PDT