After I send ARP Request packets with the same source IP address, why do I sometimes receive response packets only at the rate of five packets per second

0

By default, AR series routers limit the rate of Address Resolution Protocol (ARP) packets with the same source IP address to prevent ARP attacks. The default rate limit is 5 packets per second.

Other related questions:
Why sometimes the return rate is 5 pps when ARP request packets containing the same source IP address are sent
The router sets the rate limit for ARP packets containing the same source IP address to a default value 5 pps to prevent ARP attacks.

Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

What are the causes for ARP request packet attacks on S series
For S series switcheses (except S1700 switches): This problem may be caused by intranet computer viruses or special software. If services are normal, no action is required. If services are faulty, locate faults based on symptoms. For example, you can configure attack source tracing on the switch to search for the attack source before implementing further operations.

What is the meaning of PACKET_LENGTH_WRON in the NTP log of the AR router
NTP/4/PACKET_LENGTH_WRON G(l)[500]:The received NTP packet is longer than or shorter than a valid packet. This log is generated when the AR receives NTP packets in which the packet length is not in the range of 32 to 68. If this log does not need to be displayed, run the info-center filter-id bymodule-alias CFM CFM_LOG command in the system view.

Why does one BGP end send the open packet twice sometimes
The BGP session relationship is not the master-slave relationship. Both BGP ends may actively establish connections. The open packet is sent regardless of the connection established actively or passively. In addition, one connection is terminated during the negotiation. Therefore, the open packet may be sent twice.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top