ARPNuke - 80 kb/s kills a whole subnet

[Paul Starzetz <paul () starzetz de>]

Hi ppl,

It is time for a new ´nuke´ - ARPNuke.

There is an ARP table handling bug in Microsoft Windows protocoll
stacks. It seems that the arp handling code uses some inefficient data
structure (maybe a simple linear table?) to manage the ARP entries.
Sending a huge amount of ´random´ (that is random source IP and
arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
lock up. The machine wakes up after the packets stream has been stopped.

The needed traffic is not really high: the attached ARPkill code will
send an initial sequence of about 10000 ARP packets, then go to ´burst
mode´ sending definable short burst of random ARP packets every 10 msec.
The lockup occured at about 80kb/sec (seq about 45) on a PII/350.

Even worse: it seems that is possible to kill a whole subnet using
broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
source IP.


regards,

Ihq.

Attachment: arpkill.tar.gz
Description: