[IXP NGB] RV: Arp Miss Attack

Fernando Soto soto.fernando en bbt.com.ar
Jue Sep 23 21:00:32 -03 2021 

Estimados miembros, por favor podrían pedir a su personal técnico si ven logs en su router conectado al IXP , parecidos a estos?
Mi router me avisa de estos ataques de ARP por el puerto que tengo conectado al IXP y lo estamos investigando.

Gracias.



Sep 22 2021 18:21:29-03:00 SW1POP20-L3 %%01SECE/4/ARPMISS(l)[435]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet0/0/4, SourceIP=186.148.170.253, AttackPackets=43 packets per second)

Sep 22 2021 18:18:13-03:00 SW1POP20-L3 %%01SECE/4/ARPMISS(l)[436]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet0/0/4, SourceIP=20.199.105.48, AttackPackets=39 packets per second)

Sep 22 2021 18:11:28-03:00 SW1POP20-L3 %%01SECE/4/ARPMISS(l)[437]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet0/0/4, SourceIP=47.98.232.243, AttackPackets=39 packets per second)

Sep 22 2021 18:10:05-03:00 SW1POP20-L3 %%01SECE/4/ARPMISS(l)[438]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet0/0/4, SourceIP=186.148.164.42, AttackPackets=50 packets per second)






De: Julio Policarpo <noc.julio en cabase.org.ar<mailto:noc.julio en cabase.org.ar>>
Enviado el: lunes, 20 de septiembre de 2021 10:13
Para: Fernando Soto <soto.fernando en bbt.com.ar<mailto:soto.fernando en bbt.com.ar>>; 'NOC Cabase' <noc en cabase.org.ar<mailto:noc en cabase.org.ar>>
CC: Teleco <teleco en bbt.com.ar<mailto:teleco en bbt.com.ar>>
Asunto: RE: Arp Miss Attack

Estimados, se generó el ticket número TT4144 para dicha solicitud, los mantendremos informados

Saludos cordiales.



[cid:image001.png en 01D7AE0C.438773B0]<https://www.cabase.org.ar/>

Julio Policarpo | NOC CABASE
Suipacha 128 - 3 "F"<https://goo.gl/maps/bpkHRVuKDzj> - Tel: (+5411) 5263-7456
www.cabase.org.ar<https://www.cabase.org.ar/>
[cid:image002.png en 01D7AE0C.438773B0]<https://www.linkedin.com/company/cabase>[cid:image003.png en 01D7AE0C.438773B0]<https://www.facebook.com/CabaseAr/>[cid:image004.png en 01D7AE0C.438773B0]<https://twitter.com/CabaseAr>[cid:image005.png en 01D7AE0C.438773B0]<https://www.youtube.com/channel/UCFv0lo1ybgvDesRoFr1ZTTw>


De: Fernando Soto <soto.fernando en bbt.com.ar<mailto:soto.fernando en bbt.com.ar>>
Enviado el: lunes, 20 de septiembre de 2021 10:01
Para: NOC Cabase <noc en cabase.org.ar<mailto:noc en cabase.org.ar>>
CC: Teleco <teleco en bbt.com.ar<mailto:teleco en bbt.com.ar>>
Asunto: Arp Miss Attack

Buenos día Noc
Les quería pedir por favor si me pueden ayudar con este log que veo en nuestro switch Huawei 6720 con el que hago bgp contra el IXP

arp Miss Attack desde distintas ips
Me llega solo de la interfaz que tengo contra el IXP (xgiga 0/0/4)
y llegan todos los días.


No me queda claro el concepto del ataque:
What Is ARP Miss?

The device sends an ARP Miss message when the routing table contains the routing entry that maps the destination IP address of an IP packet, but does not contain the ARP entry that maps the next hop of the routing entry.

The IP packet that triggers the ARP Miss message is sent to the CPU for processing. The device generates and delivers a temporary ARP entry based on the ARP Miss message, and sends an ARP Request packet to the destination network.

If a host sends a large number of IP packets with unresolvable destination IP addresses (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route) to a device, the device sends a large number of ARP Miss messages and many ARP Request packets to the destination network, consuming considerable CPU and bandwidth resources.



<SW1POP20-L3>display ip routing-table 186.148.164.42

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Table : Public

Summary Count : 1

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface



        0.0.0.0/0   EBGP    255  0          RD   10.169.250.161  Vlanif101



<SW1POP20-L3>





<SW1POP20-L3>display ip routing-table 199.195.254.38

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Table : Public

Summary Count : 1

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface



        0.0.0.0/0   EBGP    255  0          RD   10.169.250.161  Vlanif101



<SW1POP20-L3>





[cid:image007.jpg en 01D7AE0C.43A92C80]
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0001.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11291 bytes
Desc: image001.png
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0005.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1556 bytes
Desc: image002.png
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0006.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1472 bytes
Desc: image003.png
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0007.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1716 bytes
Desc: image004.png
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0008.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1510 bytes
Desc: image005.png
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0009.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 236337 bytes
Desc: image007.jpg
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/ixpgbanorte/attachments/20210924/6ee238bf/attachment-0001.jpg>

Más información sobre la lista de distribución Ixpgbanorte