Lately i’ve been noticing that our main MK router (CCR1036-12G-4S) is making a lot of ARP requests, the interesting part is that those requests are sequential (as in, request for ip 10.10.10.1 to 10.10.10.100), it’s even making request to IPs that are not currently online.
The router has the latest firmware (6.19), i really doubt this is a normal behaviour on this device, so i’d like to know if someone has experienced the same issue and managed to solve it.
Here’s a wireshark screen capture (10.10.10.1 is one of the IPs of the CCR):
I am monitoring the port that’s directly connected to the CCR, i am running a monitor session directly from the switch, checked the mac address tables, everything point to the CCR doing the requests. This is confusing me (maybe for my lack of experience with this kind of problems).
Also i get directed arp requests, not only broadcasts.
probably ARP poisong attempt to spoof/dump traffic by hijacking it.
switch isn’t almighty and using vlans as port isolation tools well-known but not flawless(there was several ways to bypass/thwart vlan port isolation, especially on default configuration of majority of devices).
that problem really polluting majority of copper ISP’s and smart switches, used by them on endpoint before BRAS and eventually lead to introduction of both 802.1AR and 802.1AE by majority of networking cirtuitry corpoations/vendors.
aswell as before SEND was created as both ARP and NDP replacement(cuz both ARP and NDP considered flawed/vulnerable beyond chances to repair/protect. in case of v6 there was some serious issues aside RA well-known one), but never implemented properly for ipv4 and never really mass-deployed/adopted.
p.s.
as sidenote(irrelevant to security aspect): on common linux you always can maintain ARP trottling by conntrack/firewall rule with connection limtation, cuz there was ebtables, arptables and new filtering framework/front-end, than unify both three, while on RouterOS you cannot relly control ARP or NDP very well(and cannot NDP at all), yet.
if you not run you network with statically-assigned adresses you always can switch ports to “reply-only” ARP mode to rely on you DHCP server package on managing that.
Switch isn’t using default configuration (it’s a 2960S btw), nor is the CCR, when i mirror the port that connects to the CCR i can see the incomming ARP request from it, i’ve also checked the switch’s per vlan mac address table and verified the equipment on each port, it all seems to be as intended. Checked all the computers looking for viruses all seems to be clean, our computers are isolated from the internet due to NAT, we don’t even have a DMZ stablished.
