eth protocol 806(arp)

arbalest · March 11, 2016, 3:29pm

Hi All,
Need help, i have router board 450G and after monitoring LAN have high traffic, after checking at torch menu i find
eth protocol 806(arp) with dst address 0.0.0.0 with high traffic data.

How to know and block that packet,
cause LAN its runing slow effect from that.

Thanks, waiting for info

ZeroByte · March 11, 2016, 3:33pm

Note the source MAC address that’s originating the ARPs and then find the device with that MAC address.
Usually such traffic is actually a symptom caused by something else -

How high of a traffic volume are you seeing?

arbalest · March 12, 2016, 12:08am

how to know mac from the arp, cause At the arp not detected, cause source at torch its blank, 20-70 mbps for traffic local from the port.

need your help for any solution.

thanks

pe1chl · March 12, 2016, 1:08pm

Your ARP traffic is probably not the source of your problems, but a result.
You need to find out what is trying to send traffic to nonexistant addresses on your LAN and block that traffic
more upstream. Probably you are the victim of a DDOS.

arbalest · March 13, 2016, 12:23am

How to find the traffic and block it? cause i try to block the port, still same.
need help cause this case make me confuse.

thanks

pe1chl · March 13, 2016, 9:20am

You need to look more upstream (or at least on the incoming port of your router) what suspect traffic is
coming in to addresses that are within your subnet but are for addresses that are not active.

Once you identified that, you will probably not be able to do much yourself, but you need to talk to your
upstream provider to see if they can block this traffic. This is of course only possible when it can be
recognized as the unwanted traffic.

DDOS is a difficult problem. There is no simple fix, or everyone would apply it. Most solutions involve
a lot of expensive hardware, and so they are often offloaded to specialized companies.

Also in some cases it may be worthwhile to find why people want to bring down your service.
You may be able to solve that issue and the DDOS might stop.

arbalest · March 14, 2016, 12:24am

Sir,
Incoming traffic from user, for Upstream its clear n traffic running normal, for the first action maybe i will block the DDos, have that rule can impact to solved the problem.
i hope any idea if thats rule not solved the problem.

Thanks

nxs02 · March 14, 2016, 2:40am

can u show me image capture the eth proto when u torch it?

arbalest · March 14, 2016, 4:03am

this capture from torch
[img][http://prntscr.com/aez5b1[img](http://prntscr.com/aez5b1[img)]

nxs02 · March 14, 2016, 2:40pm

IMO its normal ARP packet but that make weird is it has consumed alot of yours bandwidth