Bugtraq mailing list archives
Re: ARPNuke - 80 kb/s kills a whole subnet
From: Raptor <raptor () 0xdeadbeef eu org>
Date: Mon, 30 Jul 2001 19:55:45 +0200 (CEST)
Obviously you need to be in the local ethernet segment to accomplish an attack like that. I wrote a similar tool a couple of years ago, called havoc. It can be downloaded from http://packetstormsecurity.org/DoS/havoc-0.1c.tgz and can be easily modified to suit your particular needs. Cheers, :raptor On Mon, 30 Jul 2001, Paul Starzetz wrote:
There is an ARP table handling bug in Microsoft Windows protocoll stacks. It seems that the arp handling code uses some inefficient data structure (maybe a simple linear table?) to manage the ARP entries. Sending a huge amount of ?random? (that is random source IP and arbitrary MAC) ARP packets results in 100% CPU utilization and a machine lock up. The machine wakes up after the packets stream has been stopped. The needed traffic is not really high: the attached ARPkill code will send an initial sequence of about 10000 ARP packets, then go to ?burst mode? sending definable short burst of random ARP packets every 10 msec. The lockup occured at about 80kb/sec (seq about 45) on a PII/350. Even worse: it seems that is possible to kill a whole subnet using broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary source IP.
Antifork Research, Inc. @ Mediaservice.net Srl http://www.0xdeadbeef.eu.org http://www.mediaservice.net
Current thread:
- ARPNuke - 80 kb/s kills a whole subnet Paul Starzetz (Jul 30)
- Re: ARPNuke - 80 kb/s kills a whole subnet Raptor (Jul 30)
- Re: ARPNuke - 80 kb/s kills a whole subnet Paul Starzetz (Jul 30)