My subnet is 10.162.0.0/16. We have a router with a couple of interfaces. Our gateway address for this subnet is 10.162.0.1.
The router is in another building and I haven't got direct access to it. Line from router comes to my main layer-2 switch D-Link DES-3550 (10.162.0.250) and other part of subnet are connected to this switch.
Network works well for a short period of time ( 5 – 20 minutes) and then starts "attack" and the problem repeats again.
How the "attack" looks:
I used Wireshark to check the problem. I can see our gateway router (10.162.0.1) incessantly ARP requesting one or couple addresses from my subnet such as:
10.162.0.1 Broadcast ARP 60 Who has 10.162.8.75? Tell 10.162.0.1
10.162.8.75 doesn't answer my pings.
I assigned one of the addresses, which was ARPed, to my computer. My machine answered to ARPs and sent my mac. But the router didn't care and continued sending ARPs.
The router sent about 10,000 – 25,000 ARPs per second. So it is impossible to even ping 10.162.0.1 from any computer of my subnet. Sometimes my main switch (10.162.0.250) doesn't answer pings or delays about 3 sec.
The attack stopped when I rebooted my switch (10.162.0.250) or disconnected some its ports (in the most cases disconnecting 10 and 11 ports helped, so maybe something happened there).
When the next attack starts, the ARP requests are already other. It seems to randomly choose addresses to ARP.
Why is our router sending so many ARPs? Is a computer on a different subnet attacking the router? If the source is a computer from 10.162.0.0/16, then why did the router send ARP requests (I can't understand this)? How can I solve this problem?
Best Answer
Check if you have a loop.
When a switch recieves a broadcast packet (like ARP), it sends it out through all ports. If you have a looped cable (from one port to another in the same broadcast domain), that packet comes back to the switch, and is broadcasted again through all ports (and comes back again, and again,...).
So basically, check if you have a cable going from one port to another on the same switch, or to another switch connected to the first one, and disconnect it. If you have managed switches, you should enable (r)STP to avoid such issues - with STP enabled, you can actually achieve redundancy with a loop - but when all is functioning correctly, one connection will be disabled by the switch itself).