Re: [nsp] Code red and ARPs

• Next message: Tejal: "[nsp] Arp problem"
• Previous message: kouji.baba@equant.com: "[nsp] How to determine Bc for traffic-shaping"
• In reply to: Hank Nussbacher: "[nsp] Code red and ARPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hi,

On Tue, Aug 07, 2001 at 12:55:26PM +0200, Hank Nussbacher wrote:
> "clear arp-cache" doesn't help and there appears to be no way to set a
> timer to get rid of these entries (arp timers are only on a per interface
> basis and not for incompletes). Anyone else see this and have a solution?

As a very hacky solution you could put a Linux box into your network
that Proxy-ARPs for all those unused IPs (and then tarpits the Code Red
scans).

We're just now building such a box, not for the ARPs (the networks
in question are fairly well populated, so there are not too many
imcompletes) but to slow down scans and thus reduce bandwidth wastage
and possibly infection rates.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de

• Next message: Tejal: "[nsp] Arp problem"
• Previous message: kouji.baba@equant.com: "[nsp] How to determine Bc for traffic-shaping"
• In reply to: Hank Nussbacher: "[nsp] Code red and ARPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT