Theft-of-service and denial-of-service (DNS) attacks have become
increasingly common in cable broadband networks. In addition, virus attacks are
becoming more common, and users are often unaware that their computers have
become infected and are being used to continue the attacks on the network.
One sign that often appears during these attacks is an unusually high
volume of Address Resolution Protocol (ARP) packets. The user or virus
repeatedly issues ARP requests, trying to find the IP addresses of additional
computers that might be vulnerable to attack.
ARP requests are broadcast packets, so they are broadcast to all
devices on that particular network segment. In some cases, a router can also
forward ARP broadcasts to an ARP proxy for further processing.
This problem is also made worse because some low-end routers commonly
used by subscribers for home networks can also incorrectly respond to all ARP
requests, which generates even more traffic. Until these customer premises
equipment (CPE) devices can be upgraded with firmware that is compliant to the
appropriate Request for Comments (RFC) specifications, service providers need
to be able to deal with the incorrectly generated or forwarded traffic.
In addition, the Cisco CMTS router automatically monitors ARP traffic
and enters the IP addresses found in ARP requests into its own ARP table, in
the expectation that a device will eventually be found with that IP address.
Unacknowledged IP addresses remain in the router’s ARP table for 60 seconds,
which means that a large volume of ARP traffic can fill the router’s ARP table.
This process can create a large volume of ARP traffic across the
network. In some situations, the volume of ARP requests and replies can become
so great that it can throttle other traffic and occupy most of the Cisco CMTS
router’s processing time, hampering efforts by technicians to recover their
network.
The router cannot use fast-switching to process ARP packets, but must
instead forward them to the route processor (RP). Because of this, processing a
large volume of ARP traffic can also prevent the router from handling normal
traffic.