What's new

Asus RT-AC66U ARP storm caused by "auto" network map

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kps_bv

New Around Here
Hi there,

got an issue with the RT-AC66U (asuswrt merlin 380.65-4). Same Issues exists with Asus firmware as well.

Here is the environment:

Small test network using 8 port hub (to see all packets in wireshark) with Notebook w ASIX ETH, AXIS OfficeBasic USB Print server (FW 7.03), RT-AC66U (port 1 connected, no other connection, running in wireless router mode).

When switching on all devices RT-AC66U starts enumerating ip addresses of the subnet using arp. During that enumeration it floods my network with ARP requests as soon as it has reached the IP of the AXIS OfficeBasic.

Attached you find a wireshark file presenting the problem. The problem starts at packet 591 and the flooding starts at packet 623.


Network@: 10.0.0.0

Notebook ASIX: .23, RT-AC66U: .245, AXIS: .238


Because I am not using the router as WAN connector and I don't need the network map, I would appreciate if you could help me to either turn off the automatic network map or resolve the issue in the routers software

Thanx a lot

KP
 
This is by design. The tool that does it is even called "arpstorm". This is done so any existing clients on the subnet will announce its presence, so it can be enumerated by networkmap.
 
A tool like ARPStorm should not be used, rather a tool should be used that does NOT work as an arp-storm creator. I understand, that the device tries to find out who lives in the network. But it is relative simple to count the max number of arp-packets to be sent out depending on the subnet mask and then stop - regardless if a response is received or not. That's why I consider the software as bugious - both the original and the merlin. I have not resolved the problem but I have a working bypass: Enable storm detection in the switches.
Thanx
KP
 
This is by design. The tool that does it is even called "arpstorm". This is done so any existing clients on the subnet will announce its presence, so it can be enumerated by networkmap.

Could you explain what program or feature "arpstorm" is scanning for? Is there anything in the UI that could be disabled to stop it from loading? IE traffic manager or some NAT passthrough? I would prefer ARP to only be done when a IP is requested to decrease overhead.
 
@Trikein. I agree that this address scan causes more overhead than real benefits. As an admin I don't wanna see all my devices in my network but - if at all - only those that are connected to the AP.
I would strongly vote for adding an option to the GUI to turn this feature off. I think showing those clients that are connected is fare enough for the normal operation mode.
@ RMerlin: Even if ARP-Storm is considered a feature I still consider the tool or its implementation into the merlin code as buggy because under a certain condition it never stops sending out arp requests. As I said above the exact same (buggy) behavior occurs in the original software delivered by Asus.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top