Preventing Sasser's ARP broadcast storm
Results 1 to 5 of 5

Thread: Preventing Sasser's ARP broadcast storm

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    47

    Preventing Sasser's ARP broadcast storm

    Hi folks,
    Regarding the network congestion due to the sassers worm, I've a question:

    Sasser spreads by scanning for machines in its own network, rite? This causes ARP broadcast storms, especially for a large network [172.16.0.0/16 Net with just 700 used IPs.. yes, a network design fiasco.. ]. I tried using the 'Fake ARP Daemon' [farpd] from the phlak distribution, so that it would respond to ARP requests for free IPs on the network. The idea was to have one machine respond to all ARP requests for non-assigned IPs, thus preventing broadcast storms. HOWEVER, its not working. The ARP requests are still flooding the network. So did I get my logic wrong? .. And anyone here have any experience with farpd? I can't even tell if the program is actually doing what its supposed to.


    Anyone know of any other method to prevent these broadcast storms?

    Danke,

    _Scim_

    P.S: This thread is actually a reproduction of what I'd posted earlier here. Couldn't get a response there.. if anyone has issues with the repetition.. my apologies.
    _scimitar_

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You aren't going to prevent the storm but maybe we can put it in a "teacup".

    Some questions:-

    1. Are all your clients subnet masked 255.255.0.0, (/16)?
    2. Are your subnets broadly spread or are their just three or 4 subnets, (172.16.0.1, 0.2 etc.)
    3. Are you using DHCP?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    47
    Hey TS,

    Yup, all the clients are masked with 255.255.0.0. And its all just one happy 65,000+ possible IPs subnet, with around 700 IPs actually in use. As for the third question, yup, we do use DHCP, but its not truly dynamic - IP addresses are binded to the MAC addresses of the machines.

    TS, how would having DHCP or otherwise affect things here?

    As an aside, I tried enabling BroadCast Storm Control on the switches in the network [we have 3Com SuperStack switches]. I thought this would mean frames would be just dropped randomly once the frame rate per second exceeded defined limit. And I was wrong. The switch closes down the port sending out the large number of frames, and keeps it closed till the frame rate actually goes down. In other words, the entire segment on that port would just be shut down. Just thought I'd share that bit of headache I'd crafted for myself today morning.


    _Scim_
    _scimitar_

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think that DHCP can save you some shoe leather.......

    Go to the DHCP server and edit the parameters it provides. Set the subnet mask to 255.255.255.0, (/24), and, more importantly set the lease life to 15 minutes. I want you to set the lease life to 15 minutes so if this goes to hell in a handbasket and it crashes the network completely then you have 15 minutes to change the subnet mask back and then the clients will come for their new DHCP information in a very short time.

    Then copy and paste this into a batch file:-

    ipconfig /release
    ipconfig /renew

    Email the batch file to everyone as an attachment and tell them to click on it. Yep, I know a lot of the infected machines won't be able to do this but machines that are still clean and a small percentage of those infected may be able to get it done.

    Leave the mask on the router as 255.255.0.0. This should allow computers to talk to each other but the fact that you have reduced the subnet mask on all the other PC's should bring the "storm" down quite significantly.

    After an hour or so go to the DHCP server and list the address leases. Sort the column "Lease Expiration" and look at all the leases that are clearly not expiring under the 15 minute rule. That is a list of computers that are either switched off or are infected and the users aren't getting the email. Look carefully at the list. If you can see a large segment of the network that seems to be off/infected that could be quickly disconnected at a switch, do it. Then concentrate on the remaining individual machines. Clean them and patch them. Then move to your "cut off" segment and go around that cleaning and patching.

    It's far from a "silver bullet" solution but it should bring down the ARP storm quite quickly and point you to the potentially bad machines.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Preventing Sasser's ARP broadcast storm

    Originally posted here by Scimitar
    Hi folks,
    Regarding the network congestion due to the sassers worm, I've a question:
    [...]
    Anyone know of any other method to prevent these broadcast storms?
    If your entire network is not routed, the no, there is no way to prevent it other than not getting hit with Sasser in the first place. If this is a real issue I'd suggest you get to work on fixing the source of the problem, rather than treating its symptoms.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •