Community discussions

MikroTik App
 
IntraLink
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Fri May 28, 2004 5:44 pm
Location: Utah Valley
Contact:

Mikrotik ARP Storm

Wed May 09, 2007 6:23 am

Is there ANY way to limit ARP requests in MT??

Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet.

I'm assuming this is coming from the internet, but I can't find any way to limit or firewall this behaviour in Mikrotik.

Basically I'm a sitting duck for ARP attacks, right?
 
User avatar
winxp2000
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Jan 30, 2006 8:57 pm
Location: China
Contact:

Wed May 09, 2007 1:09 pm

in you MT firewall set input chunnel drop

>ip fir fil input
>add chain=input acction=drop
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Wed May 16, 2007 4:12 am

accept only mac addresses of your clients and reject all others
you can achieve that by going to the interface which the clients are connected to and set the arp to reply-only
/interface ethernet set local arp=reply-only

in this case none of the clients can replicate with your MT even you so you should add your ip and mac address in the arp list as a static entry before doing this

regards
 
IntraLink
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Fri May 28, 2004 5:44 pm
Location: Utah Valley
Contact:

Re: Mikrotik ARP Storm

Fri Jun 01, 2007 11:39 pm

I can't use static ARP since the customer is allowed to change their MAC.

Any other ideas??
 
Diganet
Member
Member
Posts: 342
Joined: Sun Oct 30, 2005 9:30 pm
Location: Denmark
Contact:

Re: Mikrotik ARP Storm

Sat Jun 02, 2007 12:54 am

Is there ANY way to limit ARP requests in MT??

Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet.

I'm assuming this is coming from the internet, but I can't find any way to limit or firewall this behaviour in Mikrotik.

Basically I'm a sitting duck for ARP attacks, right?
I would like to see some of that, sounds like some bad misconfiguration somewhere. Only way RouterOS would make an ARP req is if it's trying to reach (initiate connection to) the IPs it's ARPing for. Also it would only ARP for adresses in the same subnet as it's own interfaces. No packet from outside could trigger an ARP req. If RouterOS recieves a packet from it's own subnet it already knows the MAC and wouldn't make an ARP req except maybe from spoofed IP adresses, but this you can filter in the Firewall (check http://wiki.mikrotik.com/wiki/Dmitry_on ... nity-check). If it comes from outside the WAN subnet, all RouterOS ever would ARP for is the MAC of the default GW.

Please post your config and show us some from your sniff.

Regards

Henrik

Who is online

Users browsing this forum: No registered users and 29 guests