GreenR Community|The Community Run by You
cancel
Showing results for 
Search instead for 
Did you mean: 

Wan Flood with ARP requests

Highlighted
Respected Contributor

Wan Flood with ARP requests

Noticed that my router being hit with a constant 350 - 400kbps ARP request flood. Seems strange coming from internet.

 

Here is a small capture:

16:25:51.409106    ARP, Request who-has 116.86.214.253 tell 116.86.212.3, length 46
16:25:51.409577    ARP, Request who-has 116.86.141.71 tell 116.86.141.3, length 46
16:25:51.411603    ARP, Request who-has 116.86.99.7 tell 116.86.96.3, length 46
16:25:51.412064    ARP, Request who-has 39.109.189.113 tell 39.109.188.3, length 46
16:25:51.413143    ARP, Request who-has 116.87.37.202 tell 116.87.36.3, length 46
16:25:51.414623    ARP, Request who-has 116.86.215.229 tell 116.86.212.3, length 46
16:25:51.415526    ARP, Request who-has 116.86.97.158 tell 116.86.96.3, length 46
16:25:51.417761    ARP, Request who-has 116.86.215.124 tell 116.86.212.3, length 46
16:25:51.418696    ARP, Request who-has 116.87.200.170 tell 116.87.200.3, length 46

 

It is all being dropped so no impact on internet usage.

 

Is this normal of something wrong with Starhub Server.

 

Thanks

3 REPLIES 3
Highlighted
Veteran

Re: Wan Flood with ARP requests

Are you on cable broadband?

 

Some arp requests on the wan is normal, as long as it's not like thousands per second.

You can check what kind of equipment the source IP 116.86.212.3 is.

Do a "arp -a" from your router and look for the mac address of that IP.

Look up the OUI (first 3 bytes of the mac address) to see which vendor it belongs to.

 

Respected Contributor

Re: Wan Flood with ARP requests

Ah-Pin-Kor

 

Thankyou for the reply. I am using fibre broadband (currently 500mb/s) with the Ubiquity router instead of the Starhub supplied router but, other than this ARP background noise, all is working great. It is likely that this ARP activity has always been there but could not see it with the previous router.

 

This post is more for curiosity than to solve any particular problem.

 

Agreed that some ARP is normal but at  a sustained 350-400kbps of ARP (46 bytes each) traffic it seemed to be a lot.

 

The IP addresses that I capture incoming to WAN are not even on the same subnet that is currently assigned to me. Could be normal for Starhub network, kind of a spray and pray approach. I thought since the WAN uses DHCP that an address would be assigned and nothing more required until the lease expiry. That is why seeing this level of polling suprised me. My network knowledge is limited.

 

At any rate the only MAC is see starts 00:00:0c which is Cisco, so probably normal.

 

I called 1633 and was told ARP activity is normal although at what level was not concluded.

 

Cheers

Highlighted
Alumni (Retired)

Re: Wan Flood with ARP requests

Hi Threndor, can you pass me your full name, NRIC, contact number and email address via PM and we'll keep in touch.