From owner-freebsd-net@FreeBSD.ORG Tue Dec 21 02:43:37 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E9216A4CE for ; Tue, 21 Dec 2004 02:43:37 +0000 (GMT) Received: from outbound0.sv.meer.net (outbound0.sv.meer.net [205.217.152.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5174D43D5E for ; Tue, 21 Dec 2004 02:43:37 +0000 (GMT) (envelope-from gnn@neville-neil.com) Received: from mail.meer.net (mail.meer.net [209.157.152.14]) iBL2hZwN069351; Mon, 20 Dec 2004 18:43:36 -0800 (PST) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (pc1.oakwoodazabu1-unet.ocn.ne.jp [220.110.140.201]) by mail.meer.net (8.12.10/8.12.10/meer) with ESMTP id iBL2hYgA095776; Mon, 20 Dec 2004 18:43:34 -0800 (PST) (envelope-from gnn@neville-neil.com) Date: Tue, 21 Dec 2004 11:43:22 +0900 Message-ID: From: gnn@FreeBSD.org To: Lee Johnston In-Reply-To: <6.1.0.6.0.20041220191713.019eff38@mail.wildcardinternet.co.uk> References: <6.1.0.6.0.20041220191713.019eff38@mail.wildcardinternet.co.uk> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.2 (powerpc-apple-darwin) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII cc: freebsd-net@FreeBSD.org Subject: Re: FreeBSD Router : ARP who-has requests X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:43:37 -0000 At Mon, 20 Dec 2004 19:28:21 +0000, Lee Johnston wrote: > Does any one have any ideas on this? Could the kernel option (options HZ) > which we use for dummynet/polling effect the rate in which ARP requests are > issued? > > I had planned to place each subnet in a VLAN, and looks like this will have > to be done fairly quickly. But I just don't understand the sudden increase. > My only other though is that some could be port scanning, or someone has > just been exploited. > > Appreciate any feedback. > This may be obvious to you, but I would sniff the net for the IPs that are being arped for. Also, if you're being scanned there might be a pattern. Good luck, George