I’m getting like 1000-3000 ARP requests a second from my Mikrotik Router on the public IP’s it’s routing at times which is killing everything in my broadcast domain.
What does this mean?
Is this a DOS or DDOS attack from the outside?
How do I limit thi behavior in MT??
Seens like there should be something in MT that say, “Hey, I only need to ARP for the availability of these addresses once a minute”. Right??
Which MAC is sending arps, your router, or the ISPs router ?
Sam
This is on our broadcast domain, so it’s our internal interfact and our MT internal interface MAC and gateway IP for our public customers.
In other words we have a range 209.53.56.0/22 and 209.53.59.254 on the internal network interface as the customer Gateway.
The ARP requestions are storming thousands per second from 209.53.59.254, the MT gateway IP in bursts.
They climb up so that it’s doing .79, .80, .81 etc. etc.
Is there incoming traffic from the WAN that corresponds to these? I am guessing someone outside is either ICMP, UDP tracert, or doing SYNs to your IPs and your router is simply trying to find the other side … What’s the packets per second on both the internal and external iface ?
Sam
That’s what I was thinking.
I did a torch and didn’t see any highly unsual traffic, though it’s hard to tell when it’s 45Mbps of traffic going through it at any given time.
I didn’t notice unusually high packet counts on the interface either.
But I’m sure it was something from the outside.
How do I limit the ARP behavior of the MT?
And why does it feel the need to forward a gazillion broadcast ARPs in these situations?
I need a limiter in MT for this or a filter rule on the external interface to clamp it down somehow.