comp.os.linux.networking

Thank you so much for the response. That was exactly what I was
looking for. I was able to understand the way the routers were
functioning in the scenario but the only doubt I had was, if someone
keeps sending packets to a non-existent IP, I was not sure if the
router will keep sending ARP requests. If that was the case, then what
I was thinking was it would lead to an ARP flooding or some other
attack. But I think your answer explains it very clearly. Also thank
you for giving out an example. That makes it even more clearer. Also,
thanks to Joseph who had mailed me a similar explanation. Now, I'll
read the RFC1122 - looks really interesting to me :) Thank You
again...

On Mar 9, 10:49=A0pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On Sun, 9 Mar 2008, in the Usenet newsgroup comp.os.linux.networking, in
> article <11b19684-f36a-486f-85a4-332a6b1bd...@h25g2000hsf.googlegroups.com=
>,
>
> Legend wrote:
> >Is there a possibility of a DoS attack if an attacker sends traffic
> >to an IP which does not exists?
>
> To an _extremely_minor_ extent, yes. You'll want to see RFC1122 Section
> 2.3.2 and RFC1812 Section 3.3.2 for details, as well as RFC0826:
>
> =A0 0826 Ethernet Address Resolution Protocol: Or Converting Network
> =A0 =A0 =A0 =A0Protocol Addresses to 48.bit Ethernet Address for Transmiss=
ion on
> =A0 =A0 =A0 =A0Ethernet Hardware. D. Plummer. November 1982. (Format: TXT=
=3D21556
> =A0 =A0 =A0 =A0bytes) (Also STD0037) (Status: STANDARD)
>
> =A0 1122 Requirements for Internet Hosts - Communication Layers. R.
> =A0 =A0 =A0 =A0Braden, Ed.. October 1989. (Format: TXT=3D295992 bytes) (Up=
dated
> =A0 =A0 =A0 =A0by RFC1349, RFC4379) (Also STD0003) (Status: STANDARD)
>
> =A0 1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
> =A0 =A0 =A0 =A0(Format: TXT=3D415740 bytes) (Obsoletes RFC1716, RFC1009) (=
Updated
> =A0 =A0 =A0 =A0by RFC2644) (Status: PROPOSED STANDARD)
>
> >So, does it always flood the ARP query on getting any of such traffic?
> >It doesn't matter whether there are switches in the subnet.
>
> ARP is a link level broadcast - so it would go to all switches/hosts
> on the subnet. But a well behaved router (or regular host) will not
> flood the network.
>
> >Does the router need to flood all switches or just send to the switch
> >which contains the corresponding subnet? I mean, suppose that there is
> >a router and a number of switches connected to it on either sides
> >(call these the left and right sides)
>
> Assumption - left and right sides are different subnets SUCH AS
> 192.168.1.0/24 and 192.168.3.0/24.
>
> >So when someone keeps sending a packet to a non-existent IP on the
> >right side, will the router keep flooding all the switches or is there
> >a mechanism at the router level or the switch level to prevent this
> >attack?
>
> It will send it only to the switches on the "right" side (because it
> knows the IP it's looking for isn't on the "left" side). If you read
> RFC1122, you'll find the _recommended_ method is to ARP once per
> second MAXIMUM per IP address, and the actual technique varies from
> this recommendation. Some systems send an ARP packet at a variable
> rate - one router I'm using sends 3 ARP packets at 5 second intervals,
> and two more at 15 second intervals. If no reply is received, and the
> attacker tries again, the attacker will receive an immediate ICMP Type
> 3 Code 1 (host unreachable) because the router knows the host isn't
> answering ARPs. =A0This 'unreachable' entry expires off the cache
> normally in about a minute - though this is a configurable option. =A0So
> with this router, the "flood" consists of five packets of 60 octets
> each, per address, per minute. Given that even the ancient 10Base$FOO
> Ethernet can easily cope with millions of times that rate...
>
> =A0 =A0 =A0 =A0 Old guy