We are an ISP and are having some weird issues going on. We have a /23 pool of addresses being handed out with the Mikrotik DHCP server. I did a Wireshark capture and the MT router is putting out hundreds ARP requests per second. I’m pretty sure thats not normal… but I guess I don’t have much to compare it to. DHCP leases are set to 8 hours and IP → Settings → ARP Timeout is set to 4 hours (I increased it from 30 seconds). No impact on ARP traffic.
Is this expected behavior? If not, how would I go about fixing it?
Thanks!
are these for all the unused IPs in your network? Probably traffic coming to your network trying to figure out who is going to answer them. Maybe you can blackhole/null route that traffic if its unused.
Good call. I checked that and yes they are. If it’s ARPing for every packet destined for an unused address, and we are seeing that many packets per second, we must be getting DDoSed, right?
There must be a good way to have the router not even try to ARP for addresses that don’t have a DHCP lease. Perhaps a DHCP server script that adds leased addresses to an address list with an expiration equal to the lease time. Then a firewall rule dropping traffic destined to the DHCP pool range that’s not one of the addresses in the leased addresses list? Would that work? What would that script look like?
