Re: ARPNuke - 80 kb/s kills a whole subnet

[Paul Starzetz <paul () starzetz de>]

Hi folks,

even if it seems quite strange to answer to my own mail - there are two
another observations concerning the mentioned vulnerability:

1) after a successfull attack there is another lock up occuring after
the random MAC addresses are flushed from the ARP cache (it takes about
2 minutes) - the Windows machine locks for about 20 seconds, after that
all goes fine again.

2) again, after such a successfull attack, giving arp -a on the command
line results in 100% cpu utilization and nothings gets printed, however
the machine is still responding to ctrl-c.


Both, 1 and 2 are indicators for an ineffective arp table. It must be
emphasized that the mentioned machine lockup is not an artifact of very
high interrupt rates - 2000 packets per seconds should be easily
handled, even by Windows.


sincerly,

Ihq.