Skip to content

ARP Bogon Probe

Module Status

TODO

Monitors for ARP requests for non-connected networks. Triggers if the source ip address is not local to the local subnet.

Functionality

Each arp-request packet is validated based on its attributes. The (minimal) attributes of an arp-request are:

  • Requested IP-Address
  • Source MAC-Address

Check whether the requested IP-Address is in this subnet (see configuration) .

  • ip address not in subnet:
  • Check which source seems to have misconfigured an interface via source MAC-Address
  • Outcome ARP_BOGON_DETECTED

Events

  • ARP_BOGON_DETECTED: contains wrongly requested prefix

Metrics

ixpect_arp_bogon_count{ip_address=198.51.100.42,mac_address=xx:xx:xx:xx:xx:xx} 10

Configuration

arp_bogon:
  enable: true
    valid_subnets:
    - 192.0.2.0/24