I'm out in Korea for a year. I signed up for the local DSL internet service through SSRT. After it's installed, I fire up my favorite game and get dropped from the server every so often. The connection is horrible - intermittent packet loss, crawling speed sometimes. Anyways, I started reading around forums and such and Google-ing for questions I had about the general craptacular quality of my internet service and stumbled upon Ethereal. I figured whhat the hell, why not. This thing is awesome, btw.
I'm not sure If I should put real numbers here so I won't just yet.
My first capture reveals that about 70% of my incomming packets are ARP broadcast requests. I thought (and still think) this was abnormal. During the first test I'm doing nothing but surfing the internet, checking my E-mail, etc. I run the test for 10 min in promiscuous mode with no filters. The thing that gets me about it is most of the ARP traffic is from a subnet outside my own. I stepped into the local ISP office and talked with a technician about it and he assured me that it was normal. On all consecutive tests 70-80% of the total packets are ARP broadcasts.
After some further searching via Google, I discover that ARP traffic, even from outside your subnet, is normal on a cable or DSL connection. The page I read was a Cox cable support rep placating a customer. Apparently Cox subscribers are (or were) charged extra for how much banwidth over 30GB/month they used. The Cox support rep claimed they used something called IP bundling. I have never heard of that before. It was described as a way for hosts on a node to recieve broadcast traffic for their vlan when that specific node might obtain an IP from one of several different vlans. The Cox subscribers reported and the support rep confirmed approximately 1GB/month of ARP traffic. If I am reading ethereal correctly, I recieved approximately 5MB of ARP traffic in that first 10 min test. This would come to about 215GB/month of ARP traffic - WAY over what the Cox users were reporting.
Like I said I'm no expert on this stuff so If what I say sounds a little wonky, please bear with me.
Last night I observed one of the intermittent connection losses. I quickly tabbed out of the game I was playing and fired up Ethereal and began logging. Reviewing the data is blowing my mind. I'm no expert on the subject but it looks to me like some sort of ICMP flood attack. My incomming traffic was filled with ICMP pings 106 bytes long and ARP broadcasts from what looks like some sort of management VLan. The ICMP request was made of an IP in that management VLan that didn't seem to exist. Three IP's on that management VLan seem to be taking the ICMP packets and sending them to a router. All the ARP requests are from various IP's on that management VLAN and all of them are asking who has the IP that the ICMP ping is detined for. The ICMP traffic was comming in at about
1.2Mbit/s and the ARP broadcasts 0.7Mbit/s. This went on for about 2 minutes then finally stopped. I recieved about 25MB of data in those 2 min. - none of which (in my understanding) should have passed my gateway.
I'm not sure exactly what I'm trying to get out of this. Maybe some advice. Maybe a solution. I'm going to talk to SSRT again tomorrow and see what's up. I'd appreciate any comments or suggestions.