Noticed that my router being hit with a constant 350 - 400kbps ARP request flood. Seems strange coming from internet.
Here is a small capture:
16:25:51.409106 ARP, Request who-has 22.214.171.124 tell 126.96.36.199, length 46
16:25:51.409577 ARP, Request who-has 188.8.131.52 tell 184.108.40.206, length 46
16:25:51.411603 ARP, Request who-has 220.127.116.11 tell 18.104.22.168, length 46
16:25:51.412064 ARP, Request who-has 22.214.171.124 tell 126.96.36.199, length 46
16:25:51.413143 ARP, Request who-has 188.8.131.52 tell 184.108.40.206, length 46
16:25:51.414623 ARP, Request who-has 220.127.116.11 tell 18.104.22.168, length 46
16:25:51.415526 ARP, Request who-has 22.214.171.124 tell 126.96.36.199, length 46
16:25:51.417761 ARP, Request who-has 188.8.131.52 tell 184.108.40.206, length 46
16:25:51.418696 ARP, Request who-has 220.127.116.11 tell 18.104.22.168, length 46
It is all being dropped so no impact on internet usage.
Is this normal of something wrong with Starhub Server.
Are you on cable broadband?
Some arp requests on the wan is normal, as long as it's not like thousands per second.
You can check what kind of equipment the source IP 22.214.171.124 is.
Do a "arp -a" from your router and look for the mac address of that IP.
Look up the OUI (first 3 bytes of the mac address) to see which vendor it belongs to.
Thankyou for the reply. I am using fibre broadband (currently 500mb/s) with the Ubiquity router instead of the Starhub supplied router but, other than this ARP background noise, all is working great. It is likely that this ARP activity has always been there but could not see it with the previous router.
This post is more for curiosity than to solve any particular problem.
Agreed that some ARP is normal but at a sustained 350-400kbps of ARP (46 bytes each) traffic it seemed to be a lot.
The IP addresses that I capture incoming to WAN are not even on the same subnet that is currently assigned to me. Could be normal for Starhub network, kind of a spray and pray approach. I thought since the WAN uses DHCP that an address would be assigned and nothing more required until the lease expiry. That is why seeing this level of polling suprised me. My network knowledge is limited.
At any rate the only MAC is see starts 00:00:0c which is Cisco, so probably normal.
I called 1633 and was told ARP activity is normal although at what level was not concluded.
Hi Threndor, can you pass me your full name, NRIC, contact number and email address via PM and we'll keep in touch.