[c-nsp] Rate-limiting ARPs

[Ed Butler]

We cannot be sure about it, but I can't think of an alternative
explanation.

What we know is that traffic was directed at a specific IP address. When
the server on this IP address crashed, traffic started to affect the
whole subnet. It must have been broadcast traffic because each server
was receiving 100mbit of traffic, and the sum of this was less than the
total incoming DDOS traffic.

Regards,

Ed Butler
RapidSwitch Ltd
DDI: 020 7106 0731

RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14
9SD

This email message is intended only for the addressee(s) and contains
information that may be confidential and/or copyright.  If you are not
the intended recipient please notify the sender by reply email and
immediately delete this email. Use, disclosure or reproduction of this
email by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or any attachments
are free of viruses. Virus scanning is recommended and is the
responsibility of the recipient. 
-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: 13 September 2006 12:12
To: Ed Butler; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting ARPs

cisco-nsp-bounces at puck.nether.net <> wrote on Wednesday, September 13,
2006 12:57 PM:

> Oliver,
> 
> I am not sure a "debug arp" would be particularly helpful at this 
> point, because the problem is not happening at the moment.
> 
> The problem manifested itself last night when a server on a /24 subnet

> was subject to a DDOS of 300kpps. The server crashed, for whatever 
> reason, and once the ARP entry had timed out all of the servers on 
> that
> /24 were bombarded with traffic until we filtered the DDOS at the 
> border routers.

Hmm, and you were sure those were arp requests for the victim's IP
address sent at a high rate? Did you capture some of this traffic?

	oli