Preventing Sasser's ARP broadcast storm

Printable View

May 4th, 2004, 09:38 AM
Scimitar

Preventing Sasser's ARP broadcast storm

Hi folks,
Regarding the network congestion due to the sassers worm, I've a question:

Sasser spreads by scanning for machines in its own network, rite? This causes ARP broadcast storms, especially for a large network [172.16.0.0/16 Net with just 700 used IPs.. yes, a network design fiasco.. ]. I tried using the 'Fake ARP Daemon' [farpd] from the phlak distribution, so that it would respond to ARP requests for free IPs on the network. The idea was to have one machine respond to all ARP requests for non-assigned IPs, thus preventing broadcast storms. HOWEVER, its not working. The ARP requests are still flooding the network. So did I get my logic wrong? .. And anyone here have any experience with farpd? I can't even tell if the program is actually doing what its supposed to.

Anyone know of any other method to prevent these broadcast storms?

Danke,

_Scim_

P.S: This thread is actually a reproduction of what I'd posted earlier here. Couldn't get a response there.. if anyone has issues with the repetition.. my apologies.
May 4th, 2004, 11:07 AM
Tiger Shark

You aren't going to prevent the storm but maybe we can put it in a "teacup".

Some questions:-

1. Are all your clients subnet masked 255.255.0.0, (/16)?
2. Are your subnets broadly spread or are their just three or 4 subnets, (172.16.0.1, 0.2 etc.)
3. Are you using DHCP?
May 4th, 2004, 11:43 AM
Scimitar

Hey TS,

Yup, all the clients are masked with 255.255.0.0. And its all just one happy 65,000+ possible IPs subnet, with around 700 IPs actually in use. As for the third question, yup, we do use DHCP, but its not truly dynamic - IP addresses are binded to the MAC addresses of the machines.

TS, how would having DHCP or otherwise affect things here?

As an aside, I tried enabling BroadCast Storm Control on the switches in the network [we have 3Com SuperStack switches]. I thought this would mean frames would be just dropped randomly once the frame rate per second exceeded defined limit. And I was wrong. The switch closes down the port sending out the large number of frames, and keeps it closed till the frame rate actually goes down. In other words, the entire segment on that port would just be shut down. Just thought I'd share that bit of headache I'd crafted for myself today morning.

_Scim_
May 4th, 2004, 01:09 PM
Tiger Shark

I think that DHCP can save you some shoe leather.......

Go to the DHCP server and edit the parameters it provides. Set the subnet mask to 255.255.255.0, (/24), and, more importantly set the lease life to 15 minutes. I want you to set the lease life to 15 minutes so if this goes to hell in a handbasket and it crashes the network completely then you have 15 minutes to change the subnet mask back and then the clients will come for their new DHCP information in a very short time.

Then copy and paste this into a batch file:-

ipconfig /release
ipconfig /renew

Email the batch file to everyone as an attachment and tell them to click on it. Yep, I know a lot of the infected machines won't be able to do this but machines that are still clean and a small percentage of those infected may be able to get it done.

Leave the mask on the router as 255.255.0.0. This should allow computers to talk to each other but the fact that you have reduced the subnet mask on all the other PC's should bring the "storm" down quite significantly.

After an hour or so go to the DHCP server and list the address leases. Sort the column "Lease Expiration" and look at all the leases that are clearly not expiring under the 15 minute rule. That is a list of computers that are either switched off or are infected and the users aren't getting the email. Look carefully at the list. If you can see a large segment of the network that seems to be off/infected that could be quickly disconnected at a switch, do it. Then concentrate on the remaining individual machines. Clean them and patch them. Then move to your "cut off" segment and go around that cleaning and patching.

It's far from a "silver bullet" solution but it should bring down the ARP storm quite quickly and point you to the potentially bad machines.
May 4th, 2004, 02:14 PM
chsh

Re: Preventing Sasser's ARP broadcast storm

Quote:

Originally posted here by Scimitar
Hi folks,
Regarding the network congestion due to the sassers worm, I've a question:
[...]
Anyone know of any other method to prevent these broadcast storms?

If your entire network is not routed, the no, there is no way to prevent it other than not getting hit with Sasser in the first place. If this is a real issue I'd suggest you get to work on fixing the source of the problem, rather than treating its symptoms.