[c-nsp] Rate-limiting ARPs
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Sep 13 06:42:57 EDT 2006
cisco-nsp-bounces at puck.nether.net <> wrote on Wednesday, September 13,
2006 11:56 AM:
> I am trying to find out how to rate limit the generation of ARPs by a
> gateway.
>
> Example scenario:
>
> ==================================================
> 123.234.123.1/24 is a Cisco gateway connected to the Internet
>
> An Internet host sends a UDP packet to 123.234.123.99
>
> 123.234.123.1 generates an ARP for the .99 IP address, but no one
> answers it so it is down as "Incomplete"
>
> An Internet host sends another UDP packet to 123.234.123.99
>
> 123.234.123.1 generates another ARP request
> ==================================================
>
> From what I can see, there is nothing that prevents this
> behaviour from
> causing a DOS by flooding a subnet with ARP requests. What I'd like to
> do is for the Cisco gateway (a 3750 in this instance) to remember it
> sent an ARP request for the .99 IP address, and rate limit itself to
> sending 1 every second or similar.
>
> Is there any way of achieving this? Any fault with what I am
> suggesting?
by default, IOS throttles ARP requests for the same dest-ip to one ARP
request every 2 seconds (at least according to a quick test I just did),
but apparently you saw otherwise. Can you do a "debug arp" and show the
results?
oli
More information about the cisco-nsp
mailing list