Comware

 View Only
last person joined: 23 hours ago 

Back to discussions
Expand all | Collapse all

ARP attack? Storm? Or normal behavior

This thread has been viewed 20 times

  • 1.  ARP attack? Storm? Or normal behavior

    Posted Jan 18, 2023 02:41 AM
    Hi,

    I have 2x 5710 in IRF. This is connected to internet (uplink to DC, 1 port from each in LACP). Default route is on IP from DC router, where is BGP for our network.

    Now. In Vlan 159 I have public 2*/24 network from our /22.  There is e.g. 1.1.1.0/24 subnet and 1.1.3.0.0/24.

    Now i see that I have huge broadcast ARP request via all servers. Many of requests are for unconnected IPs. Here is dump from one server. .40 IP is not active.

    sudo tcpdump -i eth0 -nn -v -s 0 -c 5011 broadcast|grep 1.1.1.40
    08:12:07.030653 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:08.530888 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:11.525518 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:33.399333 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:35.531024 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:38.524394 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:12:59.301789 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:00.524184 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:02.528513 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:25.168384 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:27.526131 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:29.528853 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:51.344531 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:53.533999 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46
    08:13:56.526344 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 1.1.1.40 tell 1.1.1.1, length 46

    Is it normal behavior, or is it problem? Can I cache not-active IP in ARP? Or block it?

    Thank you

    Pavel


  • 2.  RE: ARP attack? Storm? Or normal behavior

    MVP GURU
    Posted Jan 19, 2023 02:53 PM
    Isn't the Public 1.1.1.1 IP address owned by Cloudflare DNS?
    Original Message


  • 3.  RE: ARP attack? Storm? Or normal behavior

    Posted Jan 20, 2023 06:55 AM
    It is example only. No my real IP :)
    Original Message