Date: Sat, 23 Oct 93 04:30:02 PDT
From: Advanced Amateur Radio Networking Group <tcp-group@ucsd.edu>
Errors-To: TCP-Group-Errors@UCSD.Edu
Reply-To: TCP-Group@UCSD.Edu
Precedence: Bulk
Subject: TCP-Group Digest V93 #275
To: tcp-group-digest


TCP-Group Digest            Sat, 23 Oct 93       Volume 93 : Issue  275

Today's Topics:
                     Kind of interesting problem.
                              Subscribe

Send Replies or notes for publication to: <TCP-Group@UCSD.Edu>.
Subscription requests to <TCP-Group-REQUEST@UCSD.Edu>.
Problems you can't solve otherwise to brian@ucsd.edu.

Archives of past issues of the TCP-Group Digest are available
(by FTP only) from UCSD.Edu in directory "mailarchives".

We trust that readers are intelligent enough to realize that all text
herein consists of personal comments and does not represent the official
policies or positions of any party.  Your mileage may vary.  So there.
----------------------------------------------------------------------

Date: 22 Oct 93 11:24:21 PDT
From: "Ray Abbitt" <treab@chevron.com>
Subject: Kind of interesting problem.
To: tcp-group@UCSD.EDU, tfrco@chevron.com

To: OAS     --SSWSMTP  OPEN ADDRESSING SE TFRCO   --HOVMC    F. H. COLETTI

*** Resending note of 10/22/93 09:53
FROM:  Ray Abbitt
CPK D1239  842-2239
SUBJECT: Kind of interesting problem.
>From: Glenn Davis <davis@alien.vax.syncrude.com>
>Subject: TCP broadcast storm
>I am troubleshooting a particularly devilish network problem.  About two
>days ago I started seeing very high TCP broadcast traffic on our internal
>TCP/IP network.  After taking a network sniffer to the problem I discovered
>packets like:
<most of trace deleted>

>    src=255.255.255.255  dest=255.255.255.255

I ran this by one of the other guys at work and got this reply:

FROM:  FRANK H. COLETTI(FRCO@CHEVRON.COM)
Subject: Kind of interesting problem.
Ray: This is a known bug in TCP traffic and was probably started by some-
one who intentionally wanted this to happen. As far as I understand it
you can start it by custom making an ARP packet, or some other such packet,
and instead of putting your MAC address in the source field, you put the
broadcast address. This causes other machines that get the packet via the
broadcast to respond and automatically put in the original packet's
source address-in this case, the broadcast address again. This causes
a "Broadcast Storm" and what you saw is exactly what happens. It brings
the network to its knees. In one of the classes I attended they said
that some college guy did it on the Internet a couple of years ago and
promptly brought the Internet down.

I'm not sure how to stop it. The only way I can think of is to isolate
your network so that you don't get any new packets, and perhaps shutting
off Rip, Arp, or any processes or machines that might receive the packet
and regenerate the packet by replying, waiting a while for things to die
down, and then bring the everything back on line.
FRANK.


(I don't know how badly this message will be mangled by our company
gateway--Email here is IBM Office Vision/VM)

Hope this helps.

------------------------------

Date: Fri, 22 Oct 93 00:46:48 EDT
From: jerrys@a4430jxs.esr.hp.com (Jerry Simon)
Subject: Subscribe
To: tcp-group@ucsd.edu

Subscribe

jerrys@a4430ux.esr.hp.com

------------------------------

End of TCP-Group Digest V93 #275
******************************
******************************