comp.os.linux.networking

On Sun, 9 Mar 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <11b19684-f36a-486f-85a4-332a6b1bd958@h25g2000hsf.googlegroups.com>,
Legend wrote:

>Is there a possibility of a DoS attack if an attacker sends traffic
>to an IP which does not exists?

To an _extremely_minor_ extent, yes. You'll want to see RFC1122 Section
2.3.2 and RFC1812 Section 3.3.2 for details, as well as RFC0826:

0826 Ethernet Address Resolution Protocol: Or Converting Network
Protocol Addresses to 48.bit Ethernet Address for Transmission on
Ethernet Hardware. D. Plummer. November 1982. (Format: TXT=21556
bytes) (Also STD0037) (Status: STANDARD)

1122 Requirements for Internet Hosts - Communication Layers. R.
Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated
by RFC1349, RFC4379) (Also STD0003) (Status: STANDARD)

1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
(Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated
by RFC2644) (Status: PROPOSED STANDARD)

>So, does it always flood the ARP query on getting any of such traffic?
>It doesn't matter whether there are switches in the subnet.

ARP is a link level broadcast - so it would go to all switches/hosts
on the subnet. But a well behaved router (or regular host) will not
flood the network.

>Does the router need to flood all switches or just send to the switch
>which contains the corresponding subnet? I mean, suppose that there is
>a router and a number of switches connected to it on either sides
>(call these the left and right sides)

Assumption - left and right sides are different subnets SUCH AS
192.168.1.0/24 and 192.168.3.0/24.

>So when someone keeps sending a packet to a non-existent IP on the
>right side, will the router keep flooding all the switches or is there
>a mechanism at the router level or the switch level to prevent this
>attack?

It will send it only to the switches on the "right" side (because it
knows the IP it's looking for isn't on the "left" side). If you read
RFC1122, you'll find the _recommended_ method is to ARP once per
second MAXIMUM per IP address, and the actual technique varies from
this recommendation. Some systems send an ARP packet at a variable
rate - one router I'm using sends 3 ARP packets at 5 second intervals,
and two more at 15 second intervals. If no reply is received, and the
attacker tries again, the attacker will receive an immediate ICMP Type
3 Code 1 (host unreachable) because the router knows the host isn't
answering ARPs. This 'unreachable' entry expires off the cache
normally in about a minute - though this is a configurable option. So
with this router, the "flood" consists of five packets of 60 octets
each, per address, per minute. Given that even the ancient 10Base$FOO
Ethernet can easily cope with millions of times that rate...

Old guy