[j-nsp] ARP resolution algorithm? Storage of MX transit packets?
Clarke Morledge
chmorl at wm.edu
Thu Jan 31 18:32:16 EST 2019
Thank you for the input thus far, folks.
Let me explain just a bit more about what I am dealing with. Because we
get so much garbage scanning, if the scanner tries to hit an IP address,
that does not have an ARP resolution, it really clutters up traffic
unnecessarily. A simple case from my lab illustrates some of the
difficulty.
Here I am sending a single transit packet, passing through my MX, destined
to an IP that will not resolve. Since the MX has nowhere immediately to
send the packet, the RE spits out a bunch of ARP requests:
17:30:35.095861 ARP, Request who-has 192.168.10.21 tell 192.168.10.8,
length 46
17:30:35.713821 ARP, Request who-has 192.168.10.21 tell 192.168.10.8,
length 46
17:30:36.613849 ARP, Request who-has 192.168.10.21 tell 192.168.10.8,
length 46
17:30:37.513831 ARP, Request who-has 192.168.10.21 tell 192.168.10.8,
length 46
17:30:38.313831 ARP, Request who-has 192.168.10.21 tell 192.168.10.8,
length 46
Correspondingly, rtsockmon -tn logs this:
[17:30:35:099.939] kernel P route add inet 192.168.10.21
tid=36 plen=32 type=dest flags=0x180 nh=hold nhflags=0x1 nhidx=1290
rt_nhiflist = 0 altfwdnhidx=0 filtidx=0 lr_id = 0 featureid=0
rt_mcast_nhiflist=-1610628420
[17:30:35:101.376] kernel P nexthop add inet nh=hold
flags=0x1 uflags=0x0 idx=1290 ifidx=421 filteridx=0 lr_id =0
[17:30:39:013.595] kernel P route delete inet 192.168.10.21
tid=36 plen=32 type=dest flags=0x180 nh=hold nhflags=0x1 nhidx=1290
rt_nhiflist = 0 altfwdnhidx=0 filtidx=0 lr_id = 0 featureid=0
rt_mcast_nhiflist=-1610628420
[17:30:39:013.710] kernel P nexthop delete inet nh=hold
flags=0x5 uflags=0x0 idx=1290 ifidx=421 filteridx=0 lr_id =0
In a real world case, we have generally observed a fairly even
distribution of scanning attempts on non-resolving IPs, across an entire
subnet, over time. So, let's say you have an unused class C, being scanned
at the rate of 4 IPs per second, such that every address gets scanned once
a minute. Assuming that each incoming transit packet kicks off 5 ARP
requests (1 initial, plus 4 retries), as I saw above, that would trigger
somewhere over 1200 ARP requests a minute, or about 20 ARP packets a
second.
That is a fairly moderate amplification type of attack.
In a DHCP-serviced subnet, like a /20 with some 4000 available host IPs,
we might have only 3000 being used at any one time, but we want to give
enough headroom to accommodate fluctuations in DHCP usage. But that leaves
those 1000 remaining, unused IPs unintentionally triggering lots of
unnecessary ARP traffic.
Specifically, what would be nice, is if there was a way to manipulate that
ARP retry mechanism, from 4 retries, down to 2, to cut down on the noise.
So far, I have not found a knob in Junos on the MX to do this.
Am I missing something?
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
200 Ukrop Way
Williamsburg VA 23187
More information about the juniper-nsp
mailing list