Date: Mon, 20 Dec 2004 19:28:21 +0000 From: Lee Johnston <lee@wildcard.net.uk> To: freebsd-net@freebsd.org Subject: FreeBSD Router : ARP who-has requests Message-ID: <6.1.0.6.0.20041220191713.019eff38@mail.wildcardinternet.co.uk>
next in thread | raw e-mail | index | archive | help
Hi there, We are using a FreeBSD machine as a router in one of our PoPs (using Quagga for BGP support). Today I've noticed a sudden increase in the amount of ether broadcast traffic on the network. This seems to boil down to the rate the router is issuing ARP who-has requests. The machine has about 10 local subnets connected to it via one interface (ranging in size up to /26's, totalling about a /23). I'm using device polling on the network adapters, and have the following option in the kernel: 'options HZ=1000'. The requests are only for IPs not in use (presumably because the ones in use are cached). I'm seeing the same who-has request for the same IP about 3-4 times a second. We've had the machine configured the same way for about a month, normal broadcast traffic is around 2kbps, but suddenly today it's increased 10 fold to about 20kbps. Does any one have any ideas on this? Could the kernel option (options HZ) which we use for dummynet/polling effect the rate in which ARP requests are issued? I had planned to place each subnet in a VLAN, and looks like this will have to be done fairly quickly. But I just don't understand the sudden increase. My only other though is that some could be port scanning, or someone has just been exploited. Appreciate any feedback. Thanks, Regards, Lee. Lee Johnston, Wildcard Internet t: +44 (0)845 165 1510 f: +44 (0)845 165 1511 m: +44 (0)7795 423 617 e: lee@wildcard.net.uk www: http://www.wildcard.net.uk/ Web Development - Domains - Hosting - Co-location - Dedicated Servers
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.1.0.6.0.20041220191713.019eff38>