Community discussions

MikroTik App
 
tbbzac
just joined
Topic Author
Posts: 3
Joined: Sat Dec 05, 2020 11:31 pm

Loads of ARP Traffic

Mon Apr 26, 2021 4:07 pm

Hey everybody,

We are an ISP and are having some weird issues going on. We have a /23 pool of addresses being handed out with the Mikrotik DHCP server. I did a Wireshark capture and the MT router is putting out hundreds ARP requests per second. I'm pretty sure thats not normal... but I guess I don't have much to compare it to. DHCP leases are set to 8 hours and IP -> Settings -> ARP Timeout is set to 4 hours (I increased it from 30 seconds). No impact on ARP traffic.

Is this expected behavior? If not, how would I go about fixing it?
packet capture screenshot.jpg
Thanks!
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Loads of ARP Traffic

Mon Apr 26, 2021 6:06 pm

Hey everybody,

We are an ISP and are having some weird issues going on. We have a /23 pool of addresses being handed out with the Mikrotik DHCP server. I did a Wireshark capture and the MT router is putting out hundreds ARP requests per second. I'm pretty sure thats not normal... but I guess I don't have much to compare it to. DHCP leases are set to 8 hours and IP -> Settings -> ARP Timeout is set to 4 hours (I increased it from 30 seconds). No impact on ARP traffic.

Is this expected behavior? If not, how would I go about fixing it?

packet capture screenshot.jpg

Thanks!


/ip dhcp-server
export
Last edited by rextended on Mon Apr 26, 2021 6:07 pm, edited 1 time in total.
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Loads of ARP Traffic

Mon Apr 26, 2021 6:07 pm

are these for all the unused IPs in your network? Probably traffic coming to your network trying to figure out who is going to answer them. Maybe you can blackhole/null route that traffic if its unused.
 
tbbzac
just joined
Topic Author
Posts: 3
Joined: Sat Dec 05, 2020 11:31 pm

Re: Loads of ARP Traffic

Tue Apr 27, 2021 2:30 am

are these for all the unused IPs in your network? Probably traffic coming to your network trying to figure out who is going to answer them. Maybe you can blackhole/null route that traffic if its unused.
Good call. I checked that and yes they are. If it's ARPing for every packet destined for an unused address, and we are seeing that many packets per second, we must be getting DDoSed, right?

There must be a good way to have the router not even try to ARP for addresses that don't have a DHCP lease. Perhaps a DHCP server script that adds leased addresses to an address list with an expiration equal to the lease time. Then a firewall rule dropping traffic destined to the DHCP pool range that's not one of the addresses in the leased addresses list? Would that work? What would that script look like?

Thanks again!

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], jhbarrantes, kub1x, Valerio5000 and 92 guests