From owner-freebsd-net@FreeBSD.ORG Mon Dec 20 19:29:45 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61FFC16A4CE for ; Mon, 20 Dec 2004 19:29:45 +0000 (GMT) Received: from access1.man-m13.wildcardinternet.co.uk (access1.man-m13.wildcardinternet.co.uk [195.10.230.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD15943D49 for ; Mon, 20 Dec 2004 19:29:44 +0000 (GMT) (envelope-from lee@wildcard.net.uk) Received: from gate.office.wildcardinternet.co.uk ([192.168.15.3] helo=gate.wildcard.net.uk) by access1.man-m13.wildcardinternet.co.uk with esmtp (Exim 4.24; FreeBSD 4.7) id 1CgTDz-000DEv-IN for freebsd-net@freebsd.org; Mon, 20 Dec 2004 19:29:43 +0000 Message-Id: <6.1.0.6.0.20041220191713.019eff38@mail.wildcardinternet.co.uk> X-Sender: ljohns@mail.wildcardinternet.co.uk X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Mon, 20 Dec 2004 19:28:21 +0000 To: freebsd-net@freebsd.org From: Lee Johnston Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: FreeBSD Router : ARP who-has requests X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 19:29:45 -0000 Hi there, We are using a FreeBSD machine as a router in one of our PoPs (using Quagga for BGP support). Today I've noticed a sudden increase in the amount of ether broadcast traffic on the network. This seems to boil down to the rate the router is issuing ARP who-has requests. The machine has about 10 local subnets connected to it via one interface (ranging in size up to /26's, totalling about a /23). I'm using device polling on the network adapters, and have the following option in the kernel: 'options HZ=1000'. The requests are only for IPs not in use (presumably because the ones in use are cached). I'm seeing the same who-has request for the same IP about 3-4 times a second. We've had the machine configured the same way for about a month, normal broadcast traffic is around 2kbps, but suddenly today it's increased 10 fold to about 20kbps. Does any one have any ideas on this? Could the kernel option (options HZ) which we use for dummynet/polling effect the rate in which ARP requests are issued? I had planned to place each subnet in a VLAN, and looks like this will have to be done fairly quickly. But I just don't understand the sudden increase. My only other though is that some could be port scanning, or someone has just been exploited. Appreciate any feedback. Thanks, Regards, Lee. Lee Johnston, Wildcard Internet t: +44 (0)845 165 1510 f: +44 (0)845 165 1511 m: +44 (0)7795 423 617 e: lee@wildcard.net.uk www: http://www.wildcard.net.uk/ Web Development - Domains - Hosting - Co-location - Dedicated Servers