ARP request storm

I have a public class C IP range connected to the Internet via a Netcomm router.
I only use a tiny subset of the available IP addresses for actual devices but I get a continuous stream of ARP requests from the router for every IP in the range.
These amount to thousands of requests each day .
I am assuming that these are triggered by an external scanner.
I cannot firewall the outside of the router and my ISP is not helpful
So far as I know, only ARP table entries can affect requests.
Is it possible to put dummy entries into my ARP table for unused IP’s so that the requests get answered and cached in the router to reduce the number of requests?

I’m curious, what does this question have to do with Rocky Linux, when you are referring to your Netcomm router?

1 Like

Could it be that they come from the router itself, or do they definately come from the other side of the router?

I posted here because, as I said, I am hoping to find a way to use the ARP table on my Rocky box to at least mitigate the issue and most people here are helpful.
I see the requests (with tcpdump) as coming from the router but the sheer volume (hundreds of thousands per day) suggests an external stimulus.
Plus, I am pretty sure that this only started recently and nothing has changed in the router or on my network.

You ask if it is possible to add “entries into my ARP table”.

In general answer to your question, are you aware of the “-s” option for the arp command which adds a Static ARP Entry to the Local ARP Table. For example see How to add or remove a static ARP entry on Linux

Additionally, the “-f” option allows loading ARP entries from an external file automatically when a network interface is up.

I know about arp -s and arp -f and have /etc/ethers set up to update the table at boot time.
My question is whether it is possible (and meaningful) to add dummy entries for IP addresses that do not exist.
If so, what to they look like?

exactly as the web page i cited documents:

arp -s 10.0.0.2 00:0c:29:c0:94:bf

for example, you are adding an arp entry to associate an IPv4 address with a MAC address.

What to use as a MAC address for the unused IP’s?
They will never get a real one.

Anything unique within the broadcast domain would do, but you could pretend to have VMs.
These list some such ranges: https://macaddress.io/faq/how-to-detect-a-virtual-machine-by-its-mac-address and VMware: Specify a MAC Address Range


If you could unplug the WAN-link of the router, then you would see only the requests that the router itself generates.

I’ve added real or dummy entries for every IP in my range to the ARP table on my server but that does not satisfy the requests from my router. It’s ARP table still has “incomplete” for all unused IP’s.
I pulled the external plug from the router and the storm stopped apparently confirming an external stimulus.
Unless the bad guys give up, I guess that leaves my ISP but they are singularly unhelpful.
Thanks to all.

Do you have Apache running in your Rocky Linux server?

You could set up Apache to respond with an empty web page for each of the WAN address?

Or add a firewall to protect your LAN from the WAN.