Blueyonder broadcast traffic.

On a Telewest Blueyonder link I see the data light on almost constantly.
Running an Ethernet monitor I see this traffic is a steady 10 - 30Kbps
and consists almost entirely of the default gateway Cisco router arping
for IP address which appear to be other Blueyonder end user PCs.

Is this normal? Should I really be seeing 20 to 50 broadcast ARP packets
per second at the consumer end of the Surfboad modem? Could I grab
someone else's IP address if I responded to the ARP? No I'm not going to
try but it does seem a bit strange to me to see all this traffic.

--
Alan Greig

Alan Greig wrote:
> On a Telewest Blueyonder link I see the data light on almost
> constantly. Running an Ethernet monitor I see this traffic is a
> steady 10 - 30Kbps and consists almost entirely of the default
> gateway Cisco router arping for IP address which appear to be other
> Blueyonder end user PCs.
> Is this normal? Should I really be seeing 20 to 50 broadcast ARP
> packets per second at the consumer end of the Surfboad modem? Could I
> grab someone else's IP address if I responded to the ARP? No I'm not
> going to try but it does seem a bit strange to me to see all this
> traffic.

Can't say for Blueyonder but NTL was like that when I subscribed to them...

Unfortunately that's the way it works. DOCSIS is like ethernet - it
needs to ARP to get the MAC address. Problem is that worms scan ranges
and try to contact every IP which means you see ARP requests for devices
that are either not on or are not allocated.


Matt.

Alan Greig wrote:
>
> On a Telewest Blueyonder link I see the data light on almost constantly.
> Running an Ethernet monitor I see this traffic is a steady 10 - 30Kbps
> and consists almost entirely of the default gateway Cisco router arping
> for IP address which appear to be other Blueyonder end user PCs.
>
> Is this normal? Should I really be seeing 20 to 50 broadcast ARP packets
> per second at the consumer end of the Surfboad modem? Could I grab
> someone else's IP address if I responded to the ARP? No I'm not going to
> try but it does seem a bit strange to me to see all this traffic.
>

Matt wrote:
> Unfortunately that's the way it works. DOCSIS is like ethernet - it
> needs to ARP to get the MAC address. Problem is that worms scan ranges
> and try to contact every IP which means you see ARP requests for devices
> that are either not on or are not allocated.

Surely it doesn't have to be this way though? As far as I can see this
is just making the configuration simpler for the cable company. In fact
I've had a quick scan through the Cisco docs and some details from other
cable companies and there are indeed solutions - mostly involving static
and dhcp learned MAC/IP mapping and/or ARP filtering/limiting (IOS cable
arp commands etc).

I guess this traffic counts towards my bandwidth and it's already 5-10
percent of a 512K link. Doesn't seem to me as if it would take much
effort to bring the network to its knees using ARP flooding attacks. Are
Telewest and NTL just crossing their fingers and praying?

--
Alan Greig

> I guess this traffic counts towards my bandwidth and it's already 5-10
> percent of a 512K link. Doesn't seem to me as if it would take much
> effort to bring the network to its knees using ARP flooding attacks. Are
> Telewest and NTL just crossing their fingers and praying?

Answering my own question it seems that other limitations will likely
prevent a total flood but I guess I'd rather not see that traffic on my
port at all.

--
Alan Greig

"kraftee" <kraftee@spamoff&die> wrote in message
news:42f62542$0$24024$(E-Mail Removed)...

>> traffic.
>
> Can't say for Blueyonder but NTL was like that when I subscribed to
> them...

ntl are perfect in every way not one issue since connection, some peopl are
always unlucky arent they im afraid.
>