my ccr1072 conn to switch ,and created 100 vlanif ,ip-address like 192.168.0.1/24,192.168.1.1/24,192.168.2.1/24,192.168.3.1/24………………192.168.100.1/24
so ,it have 256*100=25600IPs , Actually, there aren't so many hosts, vlans are just dividing for management purposes
A few days ago, I was attacked by a host in a local area network,This host scans the local area network segment 192.168.0.0/16, and CCR1072 needs to forward the data packet to the local area network where its vlanif is located. However, it needs to initiate an ARP request to obtain the MAC address of the host in the local area network. At this time, the ARP table looks like this:
8144 DC 124.93.29.83 B0:2C:71:E5:00:80 vlan1008
8145 DC 192.168.70.132 B4:05:5D:0A:ED:AA vlan0699
8146 D 192.168.80.252 vlan0807
8147 D 192.168.70.225 vlan0699
8148 DC 192.168.80.55 00:50:56:93:AD:02 vlan0801
8149 D 192.168.66.170 vlan1066
8150 D 192.168.11.51 vlan0903
8151 D 192.168.82.147 vlan0904
8152 D 172.23.64.178 vlan3544
8153 D 192.168.78.18 vlan2002
8154 D 192.168.87.7 vlan0844
8155 D 192.168.68.161 vlan1068
8156 D 192.168.67.150 vlan1067
8157 DC 172.24.2.67 00:50:56:9B:13:F9 vlan0036
8158 D 192.168.9.100 vlan1090
8159 D 192.168.95.29 vlan0862
8160 D 192.168.9.106 vlan1090
8161 D 192.168.90.204 vlan0853
8162 D 192.168.64.180 vlan1064
8163 D 192.168.9.252 vlan1090
8164 D 192.168.83.124 vlan0827
8165 D 192.168.93.103 vlan0858
8166 D 192.168.88.161 vlan0849
8167 D 192.168.82.252 vlan0904
8168 DC 192.168.89.235 00:50:56:93:19:6B vlan0851
8169 D 192.168.9.59 vlan1090
8170 D 192.168.84.142 vlan0834
8171 D 192.168.85.253 vlan0839
8172 D 192.168.88.188 vlan0849
8173 D 192.168.67.186 vlan1067
8174 D 192.168.66.38 vlan1066
8175 D 192.168.87.139 vlan0846
8176 D 172.18.6.94 ether1
8177 D 192.168.88.124 vlan0848
8178 D 192.168.80.221 vlan0806
8179 DC 192.168.70.16 B4:05:5D:0C:77:93 vlan0699
8180 D 192.168.66.8 vlan1066
8181 D 192.168.9.251 vlan1090
8182 D 192.168.86.23 vlan0840
8183 D 192.168.87.242 vlan0847
8184 D 192.168.64.179 vlan1064
It was filled up !with a total of 8184 ARP tables,At that point, the router cannot obtain the actual ARP of the host in a timely manner, resulting in delays and packet loss
In the end, this multi IP large-scale scanning behavior was discovered and the source address was blocked in the firewall, restoring the network to normal
I know,we have PSD to find the ports-scaner , but in this case , How should we protect ourselves? and Can the ARP table be expanded?