[c-nsp] Unknown unicast only occuring when a host is under attack...
ML
ml at kenweb.org
Sat Mar 26 15:51:02 EDT 2011
On 3/26/2011 9:08 AM, Jeroen van Ingen wrote:
>
>> > Assuming the DoS attack is routed traffic (since it's in netflow) it
>> > won't cause overflows in L2 forwarding table CAM.
>>
>> Unless there's a layer2 device downstream from the router.
> Not even then. Layer 2 source/dest addresses are rewritten on every
> router hop. All traffic going through a router will have that router's
> MAC address as L2 source. So even if you have 400,000 packets coming
> through a router, each packet may have a different source IP but all
> will have the same source MAC.
>
> No matter how many Layer 2 devices are downstream: they won't alter the
> packets, won't look at the Layer 3 source/dest and will only look at the
> L2 source/dest (which are, in this case, router MAC as source and "host
> under attack MAC" as destination).
>
> Have a look with a packet sniffer (eg Wireshark) if you don't believe me :)
>
> Regards,
> Jeroen van Ingen
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
If the Host under attack doesn't have a gateway and is dependent on
proxy ARP then it would be possible for the CAM to overflow.
More information about the cisco-nsp
mailing list