Extremely high arp flooding from the router

networking wireshark arp
14,469

Solution 1

Check if you have a loop.

When a switch recieves a broadcast packet (like ARP), it sends it out through all ports. If you have a looped cable (from one port to another in the same broadcast domain), that packet comes back to the switch, and is broadcasted again through all ports (and comes back again, and again,...).

So basically, check if you have a cable going from one port to another on the same switch, or to another switch connected to the first one, and disconnect it. If you have managed switches, you should enable (r)STP to avoid such issues - with STP enabled, you can actually achieve redundancy with a loop - but when all is functioning correctly, one connection will be disabled by the switch itself).

Solution 2

Your problem is not that the router is ARPing at 25,000 packets per second, you have a loop in your ethernet layer2 topology.

If you are running spanning-tree, this is a decent start to block the loop, but some conditions can cause spanning-tree to allow loops to form (such as a unidirectional ethernet link, which drops BPDUs).

You need to find where the loop is. Very often it is on someone's desk or in a conference room where someone bridged two segments together with a hub.

Be sure you have configured Rapid Spanning-Tree or Multiple Spanning-Tree properly on all your switches. Storm-control is helpful, if your switch supports it.

Share:
14,469

Related videos on Youtube

Temak
Author by

Temak

Computer Vision Researcher

Updated on September 18, 2022

Comments

  • Temak
    Temak over 1 year

    My subnet is 10.162.0.0/16. We have a router with a couple of interfaces. Our gateway address for this subnet is 10.162.0.1.

    The router is in another building and I haven't got direct access to it. Line from router comes to my main layer-2 switch D-Link DES-3550 (10.162.0.250) and other part of subnet are connected to this switch.
    Network works well for a short period of time ( 5 - 20 minutes) and then starts "attack" and the problem repeats again.

    How the "attack" looks:
    I used Wireshark to check the problem. I can see our gateway router (10.162.0.1) incessantly ARP requesting one or couple addresses from my subnet such as:

    10.162.0.1 Broadcast ARP 60 Who has 10.162.8.75? Tell 10.162.0.1

    10.162.8.75 doesn't answer my pings.

    I assigned one of the addresses, which was ARPed, to my computer. My machine answered to ARPs and sent my mac. But the router didn't care and continued sending ARPs.

    The router sent about 10,000 - 25,000 ARPs per second. So it is impossible to even ping 10.162.0.1 from any computer of my subnet. Sometimes my main switch (10.162.0.250) doesn't answer pings or delays about 3 sec.

    The attack stopped when I rebooted my switch (10.162.0.250) or disconnected some its ports (in the most cases disconnecting 10 and 11 ports helped, so maybe something happened there).

    When the next attack starts, the ARP requests are already other. It seems to randomly choose addresses to ARP.

    Why is our router sending so many ARPs? Is a computer on a different subnet attacking the router? If the source is a computer from 10.162.0.0/16, then why did the router send ARP requests (I can't understand this)? How can I solve this problem?

  • Mike Pennington
    Mike Pennington almost 12 years
    The most likely cause is that someone is using the wifi in infrastructure mode on more than one point of your network and spanning-tree is not blocking the loop
  • Temak
    Temak almost 12 years
    You mean someone connected to two different Access Points simultaneously?
  • Mike Pennington
    Mike Pennington almost 12 years
    Yes their wifi in infrastructure mode, or they bridged two LAN segments with one of the APs. Sometimes people do things like offering "alternatives" to your office internet access

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why am I not seeing ARP requests from my own machine in wireshark?
What causes dropping of ARP response packets in a wireless network?
Why my laptop sends ARP request to itself?
Wireshark running on a server seeing lots of `ARP who has` with different tells
How to reverse arp using nping for Windows
TCP Server sends [ACK] followed by [PSH,ACK]
How to decrypt https
How to see full HTTPS URL in wireShark
what does this wireshark info refer to
Can Wireshark be used to change the content of packets