ARPNuke - 80 kb/s kills a whole subnet

From: Paul Starzetz (
Date: 07/30/01

Message-ID: <>
Date: Mon, 30 Jul 2001 10:42:30 +0200
From: Paul Starzetz <>
To: "" <>, "" <>
Subject: ARPNuke - 80 kb/s kills a whole subnet

Hi ppl,

It is time for a new ´nuke´ - ARPNuke.

There is an ARP table handling bug in Microsoft Windows protocoll
stacks. It seems that the arp handling code uses some inefficient data
structure (maybe a simple linear table?) to manage the ARP entries.
Sending a huge amount of ´random´ (that is random source IP and
arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
lock up. The machine wakes up after the packets stream has been stopped.

The needed traffic is not really high: the attached ARPkill code will
send an initial sequence of about 10000 ARP packets, then go to ´burst
mode´ sending definable short burst of random ARP packets every 10 msec.
The lockup occured at about 80kb/sec (seq about 45) on a PII/350.

Even worse: it seems that is possible to kill a whole subnet using
broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
source IP.