Maybe every one of you saw at least one time these DEFD/4/CPCAR_DROP_MPU alerts in his logs, shouting at you that ARP MISS messages exceeded the CPCAR limit on the CPU.
DEFD/4/CPCAR_DROP_MPU(l)[0]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-miss, ExceededPacketCount=682)
What are these ARP MISS messages and should they scare us?
ARP MISS messages are messages that are sent to the master control board for processing when the device has a route to a destination but doesn’t have an ARP entry for the next hop of the route. So, if a host sends a large number of IP packets with unsolvable destination IP addresses, the device triggers a large number of ARP Miss messages . When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
To be clear, these ARP MISS messages are normal in a lot of situations. When someone from outside our network is trying to reach an inside host and the device doesn’t have an ARP entry for the next hop, an ARP miss message will be generated.
Of course they could be the result of an attack as well because not everyone wants our best in this world.
Some attackers could scan hosts on the local network segment or other network segments and send many IP packets with unresolvable destination IP addresses in this way, harming the device. As a result, the device triggers many ARP Miss messages, generates a large number of fake ARP entries, and broadcasts ARP Request packets to resolve the destination IP addresses, leading to Central Processing Unit (CPU) overload