Proxy ARP detection

Niels Bakker niels=nanog at bakker.net
Thu Jan 16 00:03:31 UTC 2014


* clay at bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
>This is where theory diverges nicely from practice. In some cases 
>the offender broadcast his reply, and guess what else? A lot of 
>routers listen to unsolicited ARP replies.

I've never seen this.  Please name vendor and product, if only so 
other subscribers to this list can avoid doing business with them.


>So no, even though I consider it someone else’s bad behavior to 
>broadcast an ARP reply, I’m not willing to take the chance with an 
>IP that doesn’t belong to me.

So do an ARP request for www.equinix.com, or (and!) for an unused 
address on your Peering LAN.  Standard tools like arpwatch should 
alert you to fishy things going on, loudly.


	-- Niels.

-- 
"It's amazing what people will do to get their name on the internet, 
  which is odd, because all you really need is a Blogspot account."
			-- roy edroso, alicublog.blogspot.com




More information about the NANOG mailing list