Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
ARP request from other network?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

ARP request from other network?

causecause Member
edited January 2013 in General

one of my kvm box is receiving strange ARP packets. The ARP requests seems came from another network prefix that should be on another datacenter.

ARP requests itself might not be an issue but my box randomly failed to connect some hosts in the ip range. I thought someone on same network segment missconfigured his interface and/or arp packets are not properly filtered, however, my vps provider said there are nothing unusual.
Is it normal situation for hosting providers?

Thanks for any info.

Comments

  • MonsteRMonsteR Member
    edited January 2013

    are you sure its not a misconfigured Router/Firewall ?

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • jhjh Member

    As far as I know you should only get ARP packets from the same VLAN, so it does sound like a misconfiguration.

  • causecause Member
    edited January 2013

    @MonsteR @jhadley
    Thanks for support my guess.
    Unfortunately I'm only a user of a LEB provider, frontrangehosting. so i cannot check routers and host nodes...

    and I'm afraid about their security. it seems like any evil users can hijack L2/L3 routes? Is it my terrible misunderstanding?

  • Okay at least I know I answered your question. All it's just the usual several nodes on the same vlan sharing a few /24's between them. In this case the routers appear to be sending arp requests from the first subnet configured on it instead of the gateway ip of each subnet. I'm sure it's considered a "Feature", but in the next week or two were moving onto new routing firmware so I'll wait to see if it goes away on it's own or open a support ticket at that time.

  • As for IP/MAC spoofing, it's terribly hard to do anything effective if you steal someone elses mac, half the time it sends both hosts offline, IP spoofing can happen, but Solus has some protection for it, and our routers start filling logs with dup address alerts immediately.

  • @FRCorey
    It sounds like you do not separate your clients' dedicated servers nor filter spoofed packets from VMs?

    Spoofed source IP packet from outside of one's network is really hard to prevent. but I could not understand why to prevent spoofing is terribly hard if the packets came from network which is under your control. VLAN do L2 separation between dedicated servers owned by your clients. libvirt can filter most spoofing from evil VMs.

    the misconfigured packets i found were from your L2 segment (or hostnode of VM), not from outside of your subnets. but the request/source IP address in the ARP was announced from different datacenter.

Sign In or Register to comment.