ARPNuke - 80 kb/s kills a whole subnet

From: Paul Starzetz (paul@starzetz.de)
Date: 07/30/01


Message-ID: <3B651DF6.B09F7F4B@starzetz.de>
Date: Mon, 30 Jul 2001 10:42:30 +0200
From: Paul Starzetz <paul@starzetz.de>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "sphilipp@ix.urz.uni-heidelberg.de" <sphilipp@ix.urz.uni-heidelberg.de>
Subject: ARPNuke - 80 kb/s kills a whole subnet


Hi ppl,

It is time for a new ´nuke´ - ARPNuke.

There is an ARP table handling bug in Microsoft Windows protocoll
stacks. It seems that the arp handling code uses some inefficient data
structure (maybe a simple linear table?) to manage the ARP entries.
Sending a huge amount of ´random´ (that is random source IP and
arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
lock up. The machine wakes up after the packets stream has been stopped.

The needed traffic is not really high: the attached ARPkill code will
send an initial sequence of about 10000 ARP packets, then go to ´burst
mode´ sending definable short burst of random ARP packets every 10 msec.
The lockup occured at about 80kb/sec (seq about 45) on a PII/350.

Even worse: it seems that is possible to kill a whole subnet using
broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
source IP.

regards,

Ihq.