Community discussions

MikroTik App
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Topic Author
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Sequential Arp requests

Tue Sep 30, 2014 8:36 pm

Hello there,

Lately i've been noticing that our main MK router (CCR1036-12G-4S) is making a lot of ARP requests, the interesting part is that those requests are sequential (as in, request for ip 10.10.10.1 to 10.10.10.100), it's even making request to IPs that are not currently online.

The router has the latest firmware (6.19), i really doubt this is a normal behaviour on this device, so i'd like to know if someone has experienced the same issue and managed to solve it.

Here's a wireshark screen capture (10.10.10.1 is one of the IPs of the CCR):

Image
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
Thalid
newbie
Posts: 38
Joined: Sun Mar 31, 2013 11:33 pm

Re: Sequential Arp requests

Tue Sep 30, 2014 9:33 pm

someone might doing a arp/ip scan on your network. manually ore someone can be infected by a virus
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Topic Author
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Sequential Arp requests

Tue Sep 30, 2014 10:22 pm

someone might doing a arp/ip scan on your network. manually ore someone can be infected by a virus
I am monitoring the port that's directly connected to the CCR, i am running a monitor session directly from the switch, checked the mac address tables, everything point to the CCR doing the requests. This is confusing me (maybe for my lack of experience with this kind of problems).

Also i get directed arp requests, not only broadcasts.
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Topic Author
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Sequential Arp requests

Tue Sep 30, 2014 11:13 pm

Also i am noticing traffic leaking from one port to the other...

Traffic for subnet 1 is being seen on vlan 2 and viceversa...

The switch is isolating the traffic and each VLAN has its own dedicated port on the CCR, i really don't know why it's happening.
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Topic Author
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Sequential Arp requests

Wed Oct 01, 2014 3:28 pm

BUMP

Anyone?
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Sequential Arp requests

Wed Oct 01, 2014 3:53 pm

probably ARP poisong attempt to spoof/dump traffic by hijacking it.
switch isn't almighty and using vlans as port isolation tools well-known but not flawless(there was several ways to bypass/thwart vlan port isolation, especially on default configuration of majority of devices).
that problem really polluting majority of copper ISP's and smart switches, used by them on endpoint before BRAS and eventually lead to introduction of both 802.1AR and 802.1AE by majority of networking cirtuitry corpoations/vendors.
aswell as before SEND was created as both ARP and NDP replacement(cuz both ARP and NDP considered flawed/vulnerable beyond chances to repair/protect. in case of v6 there was some serious issues aside RA well-known one), but never implemented properly for ipv4 and never really mass-deployed/adopted.

p.s.
as sidenote(irrelevant to security aspect): on common linux you always can maintain ARP trottling by conntrack/firewall rule with connection limtation, cuz there was ebtables, arptables and new filtering framework/front-end, than unify both three, while on RouterOS you cannot relly control ARP or NDP very well(and cannot NDP at all), yet.
if you not run you network with statically-assigned adresses you always can switch ports to "reply-only" ARP mode to rely on you DHCP server package on managing that.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Topic Author
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Sequential Arp requests

Wed Oct 01, 2014 4:25 pm

probably ARP poisong attempt to spoof/dump traffic by hijacking it.
switch isn't almighty and using vlans as port isolation tools well-known but not flawless(there was several ways to bypass/thwart vlan port isolation, especially on default configuration of majority of devices).
that problem really polluting majority of copper ISP's and smart switches, used by them on endpoint before BRAS and eventually lead to introduction of both 802.1AR and 802.1AE by majority of networking cirtuitry corpoations/vendors.
aswell as before SEND was created as both ARP and NDP replacement(cuz both ARP and NDP considered flawed/vulnerable beyond chances to repair/protect. in case of v6 there was some serious issues aside RA well-known one), but never implemented properly for ipv4 and never really mass-deployed/adopted.

p.s.
as sidenote(irrelevant to security aspect): on common linux you always can maintain ARP trottling by conntrack/firewall rule with connection limtation, cuz there was ebtables, arptables and new filtering framework/front-end, than unify both three, while on RouterOS you cannot relly control ARP or NDP very well(and cannot NDP at all), yet.
if you not run you network with statically-assigned adresses you always can switch ports to "reply-only" ARP mode to rely on you DHCP server package on managing that.
Switch isn't using default configuration (it's a 2960S btw), nor is the CCR, when i mirror the port that connects to the CCR i can see the incomming ARP request from it, i've also checked the switch's per vlan mac address table and verified the equipment on each port, it all seems to be as intended. Checked all the computers looking for viruses all seems to be clean, our computers are isolated from the internet due to NAT, we don't even have a DMZ stablished.
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com

Who is online

Users browsing this forum: jose, leemans, markmcn, sindy and 52 guests