Bugtraq mailing list archives
ARPNuke - 80 kb/s kills a whole subnet
From: Paul Starzetz <paul () starzetz de>
Date: Mon, 30 Jul 2001 10:42:30 +0200
Hi ppl, It is time for a new ´nuke´ - ARPNuke. There is an ARP table handling bug in Microsoft Windows protocoll stacks. It seems that the arp handling code uses some inefficient data structure (maybe a simple linear table?) to manage the ARP entries. Sending a huge amount of ´random´ (that is random source IP and arbitrary MAC) ARP packets results in 100% CPU utilization and a machine lock up. The machine wakes up after the packets stream has been stopped. The needed traffic is not really high: the attached ARPkill code will send an initial sequence of about 10000 ARP packets, then go to ´burst mode´ sending definable short burst of random ARP packets every 10 msec. The lockup occured at about 80kb/sec (seq about 45) on a PII/350. Even worse: it seems that is possible to kill a whole subnet using broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary source IP. regards, Ihq.
Attachment:
arpkill.tar.gz
Description:
Current thread:
- ARPNuke - 80 kb/s kills a whole subnet Paul Starzetz (Jul 30)
- Re: ARPNuke - 80 kb/s kills a whole subnet Raptor (Jul 30)
- Re: ARPNuke - 80 kb/s kills a whole subnet Paul Starzetz (Jul 30)