# Strange Log!!!

## Bash[DevNull]

```
Dec 16 07:43:05 devnull NET: 299 messages suppressed.

Dec 16 07:43:05 devnull Neighbour table overflow.

Dec 16 07:43:09 devnull NET: 153 messages suppressed.

Dec 16 07:43:09 devnull Neighbour table overflow.

Dec 16 07:43:14 devnull NET: 4 messages suppressed.

Dec 16 07:43:14 devnull Neighbour table overflow.
```

What it is? And how to defence?

----------

## dice

Try increasing the values in /proc/sys/net/ipv4/neigh/gc_thresh1 , /proc/sys/net/ipv4/neigh/gc_thresh2 , and /proc/sys/net/ipv4/neigh/gc_thresh3

----------

## Bash[DevNull]

Ok, i'll do it. But plz describe me, what happend and where i can learn about it more.

It is some kind of network attack or something else?

----------

## dice

From looking over the code in /usr/src/linux/net/core/neighbour.c I'm guessing it has to do with keeping track of ARP requests.  If you have a very noisy network with a lot of ARPs that aren't getting resolved properly the kernel could run out of these neighbor structures that are keeping track of the status of these requests.

----------

## Bash[DevNull]

Yes, we have big LAN, with many Windows with MSBLAST virus and other (msblast flood net with arp-request's).... look like truth, but i have't see this before....

----------

## Deathwing00

I have the same problem but...

```
default # ls -al

total 0

dr-xr-xr-x    2 root     root            0 Dec 20 12:53 .

dr-xr-xr-x    6 root     root            0 Dec 20 12:52 ..

-rw-r--r--    1 root     root            0 Dec 20 12:54 anycast_delay

-rw-r--r--    1 root     root            0 Dec 20 12:54 app_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:54 base_reachable_time

-rw-r--r--    1 root     root            0 Dec 20 12:54 delay_first_probe_time

-rw-r--r--    1 root     root            0 Dec 20 12:54 gc_interval

-rw-r--r--    1 root     root            0 Dec 20 12:54 gc_stale_time

-rw-r--r--    1 root     root            0 Dec 20 12:54 gc_thresh1

-rw-r--r--    1 root     root            0 Dec 20 12:54 gc_thresh2

-rw-r--r--    1 root     root            0 Dec 20 12:54 gc_thresh3

-rw-r--r--    1 root     root            0 Dec 20 12:54 locktime

-rw-r--r--    1 root     root            0 Dec 20 12:54 mcast_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:54 proxy_delay

-rw-r--r--    1 root     root            0 Dec 20 12:54 proxy_qlen

-rw-r--r--    1 root     root            0 Dec 20 12:54 retrans_time

-rw-r--r--    1 root     root            0 Dec 20 12:54 ucast_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:54 unres_qlen

```

```
eth0 # ls -al

total 0

dr-xr-xr-x    2 root     root            0 Dec 20 12:55 .

dr-xr-xr-x    6 root     root            0 Dec 20 12:52 ..

-rw-r--r--    1 root     root            0 Dec 20 12:55 anycast_delay

-rw-r--r--    1 root     root            0 Dec 20 12:55 app_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:55 base_reachable_time

-rw-r--r--    1 root     root            0 Dec 20 12:55 delay_first_probe_time

-rw-r--r--    1 root     root            0 Dec 20 12:55 gc_stale_time

-rw-r--r--    1 root     root            0 Dec 20 12:55 locktime

-rw-r--r--    1 root     root            0 Dec 20 12:55 mcast_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:55 proxy_delay

-rw-r--r--    1 root     root            0 Dec 20 12:55 proxy_qlen

-rw-r--r--    1 root     root            0 Dec 20 12:55 retrans_time

-rw-r--r--    1 root     root            0 Dec 20 12:55 ucast_solicit

-rw-r--r--    1 root     root            0 Dec 20 12:55 unres_qlen

```

All files are empty... am I missing anything?

----------

## thodi

 *Deathwing00 wrote:*   

> 
> 
> All files are empty... am I missing anything?

 

No. They're not really files, they reside in memory only. The file system is emulated by the kernel. You can "cat" into and out of those files, though -- just try it.

```

thodi@philips-linux:/proc/sys/net/ipv4/neigh/default$ for i in *; do echo -n "$i: "; cat $i; done

anycast_delay: 100

app_solicit: 0

base_reachable_time: 30

delay_first_probe_time: 5

gc_interval: 30

gc_stale_time: 60

gc_thresh1: 128

gc_thresh2: 512

gc_thresh3: 1024

locktime: 100

mcast_solicit: 3

proxy_delay: 80

proxy_qlen: 64

retrans_time: 100

ucast_solicit: 3

unres_qlen: 3

thodi@philips-linux:/proc/sys/net/ipv4/neigh/default$ 

```

----------

## Deathwing00

```
default # cat gc_thresh1

128

default # cat gc_thresh2

512

default # cat gc_thresh3

1024

```

Shall I use a simple '>' to change the value (echo "2048" > gc_threash3)? Will the values be reloaded on next boot?

----------

## Bash[DevNull]

 *Deathwing00 wrote:*   

> 
> 
> Shall I use a simple '>' to change the value (echo "2048" > gc_threash3)? Will the values be reloaded on next boot?

 

You can. But when reboot all values will be skiped to default. To do this automaticly at startup use scripts or just /etc/sysctl.conf and man sysctl.

To know more about - http://www.gentoo.org/doc/en/gentoo-security.xml in chapter "10. Kernel security"

----------

## Bash[DevNull]

 *Bash[DevNull] wrote:*   

> Ok, i'll do it. But plz describe me, what happend and where i can learn about it more.
> 
> It is some kind of network attack or something else?

 

So...., who can help me in this questions?

----------

