ARPNuke - 80 kb/s kills a whole subnet

From: Paul Starzetz (paul@starzetz.de)
Date: 07/30/01


Message-ID: <3B651DF6.B09F7F4B@starzetz.de>
Date: Mon, 30 Jul 2001 10:42:30 +0200
From: Paul Starzetz <paul@starzetz.de>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "sphilipp@ix.urz.uni-heidelberg.de" <sphilipp@ix.urz.uni-heidelberg.de>
Subject: ARPNuke - 80 kb/s kills a whole subnet


Hi ppl,

It is time for a new ´nuke´ - ARPNuke.

There is an ARP table handling bug in Microsoft Windows protocoll
stacks. It seems that the arp handling code uses some inefficient data
structure (maybe a simple linear table?) to manage the ARP entries.
Sending a huge amount of ´random´ (that is random source IP and
arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
lock up. The machine wakes up after the packets stream has been stopped.

The needed traffic is not really high: the attached ARPkill code will
send an initial sequence of about 10000 ARP packets, then go to ´burst
mode´ sending definable short burst of random ARP packets every 10 msec.
The lockup occured at about 80kb/sec (seq about 45) on a PII/350.

Even worse: it seems that is possible to kill a whole subnet using
broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
source IP.

regards,

Ihq.






Relevant Pages

  • Re: Any reasons to filter ARP packets?
    ... hundreds and maybe even thousands machines. ... the network device is open for ARP packets since ... Essentially the goal of this attack is similar, ...
    (comp.os.linux.security)
  • Re: Personal stats on comp.glam.ac.uk traffic
    ... dialup to worldnet.att.net, dynamic IP ... Blyth A J C wrote: ... Now I'm floored by the ARP traffic. ... First I> collected 1000 ARP packets to see how fast they were arriving:> ...
    (Incidents)
  • Re: Losing connection...
    ... :The bizarre thing is when I look at the ARP tables on my machine. ... :gateway box (PIX 515e). ... Install ethereal or equivilent and have it watch ARP packets. ... IP address of the servers, but if so then one would have to look at ...
    (comp.dcom.lans.ethernet)
  • Re: ARP packets usage
    ... computers are laptops with dynamic IPs. ... Is this a normal ARP packet percentage? ... and you hosts will not need to send ARP packets anymore, ...
    (comp.os.linux.networking)
  • RE: Code Red, ARP and YOU!!
    ... Code Red, ARP and YOU!! ... > arbitrary MAC) ARP packets results in 100% CPU utilization and a machine ... They don’t want to piss anyone off but they don’t want to host the worm ... just look on the other side of the routers. ...
    (Incidents)