[c-nsp] Rate-limiting ARPs

Ed Butler ed.butler at rapidswitch.com
Wed Sep 13 06:57:21 EDT 2006 

Oliver,

I am not sure a "debug arp" would be particularly helpful at this point,
because the problem is not happening at the moment.

The problem manifested itself last night when a server on a /24 subnet
was subject to a DDOS of 300kpps. The server crashed, for whatever
reason, and once the ARP entry had timed out all of the servers on that
/24 were bombarded with traffic until we filtered the DDOS at the border
routers.

Regards,

Ed Butler
RapidSwitch Ltd
DDI: 020 7106 0731

RapidSwitch Ltd, 5th Floor, Sovereign House, 227 Marsh Wall, London, E14
9SD

This email message is intended only for the addressee(s) and contains
information that may be confidential and/or copyright.  If you are not
the intended recipient please notify the sender by reply email and
immediately delete this email. Use, disclosure or reproduction of this
email by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or any attachments
are free of viruses. Virus scanning is recommended and is the
responsibility of the recipient. 
-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: 13 September 2006 11:43
To: Ed Butler; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting ARPs



cisco-nsp-bounces at puck.nether.net <> wrote on Wednesday, September 13,
2006 11:56 AM:

> I am trying to find out how to rate limit the generation of ARPs by a 
> gateway.
> 
> Example scenario:
> 
> ==================================================
> 123.234.123.1/24 is a Cisco gateway connected to the Internet
> 
> An Internet host sends a UDP packet to 123.234.123.99
> 
> 123.234.123.1 generates an ARP for the .99 IP address, but no one 
> answers it so it is down as "Incomplete"
> 
> An Internet host sends another UDP packet to 123.234.123.99
> 
> 123.234.123.1 generates another ARP request 
> ==================================================
> 
> From what I can see, there is nothing that prevents this behaviour 
> from causing a DOS by flooding a subnet with ARP requests. What I'd 
> like to do is for the Cisco gateway (a 3750 in this instance) to 
> remember it sent an ARP request for the .99 IP address, and rate limit

> itself to sending 1 every second or similar.
> 
> Is there any way of achieving this? Any fault with what I am 
> suggesting?

by default, IOS throttles ARP requests for the same dest-ip to one ARP
request every 2 seconds (at least according to a quick test I just did),
but apparently you saw otherwise. Can you do a "debug arp" and show the
results?

	oli

More information about the cisco-nsp mailing list