Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What is an 'ARP storm'?

17 views
Skip to first unread message

Simon JD

unread,
Sep 13, 1996, 3:00:00 AM9/13/96
to

I have just read the article in demon.announce entitled 'Network Outage
13th. September 1996' in which Malcolm Muir writes:

>You are probably aware that we have had major network problems
>throughout the night and early hours of this morning.

>This was eventually traced to 'ARP Storms' on part of the network and
>the offending part of the network was isolated to allow the major
>services to be restored soon after 10:00 this morning.

Excuse my thickness but what is an 'ARP Storm'??!

--
Simon JD
Bridlington, East Yorkshire, UK

Tom Hughes

unread,
Sep 14, 1996, 3:00:00 AM9/14/96
to

In article <$BRCTCAg...@force2.demon.co.uk> Simon JD (si...@force2.demon.co.uk) wrote:

> >This was eventually traced to 'ARP Storms' on part of the network and
> >the offending part of the network was isolated to allow the major
> >services to be restored soon after 10:00 this morning.
>
> Excuse my thickness but what is an 'ARP Storm'??!

Well firstly, ARP is the address resolution protocol, and is the
means by which a machine attempts to establish a mapping between
an IP address and an ethernet hardware or MAC address.

Essentially the machine knows that it wants to send a packet to
address 1.2.3.4, and it knows that the machine with that address
is on the same ethernet that it is on, so it sends a packet to
the ethernet broadcast address (so that all machines on the ethernet
receive it) giving the IP address and asking which machine has that
address.

When the machine with address 1.2.3.4 receives that ARP request, it
sends an ARP reply back to the sender of the request which says
that the machine with IP address 1.2.3.4 has ethernet an ethernet
MAC address of 00:01:02:03:04:05 or whatever.

The original machine can then send the original packet to that
address. It also caches the address pair for use wich subsequent
packets to the same machine. Typically the cache entry times out
after twenty minutes or so, and a new ARP loopkup is done at that
point.

An ARP storm simply means that there a very large number of ARP
packets on the ethernet, probably using most or all of the bandwidth
and preventing anything else from getting a look in. The problem is
that there is probably one broken piece of kit that is provoking a
number of machines into sending lots of ARP packets, and working out
which machine/switch/cable/whatever is the problem can be pretty
tricky.

Tom

--
Tom Hughes (t...@compton.demon.co.uk)
http://www.compton.demon.co.uk/
...Every program is a part of some other program, and rarely fits.

Mike Pellatt

unread,
Sep 14, 1996, 3:00:00 AM9/14/96
to

On Fri, 13 Sep 1996 21:17:36 +0100, Simon JD <si...@force2.demon.co.uk> wrote:
>I have just read the article in demon.announce entitled 'Network Outage
>13th. September 1996' in which Malcolm Muir writes:
>
>>You are probably aware that we have had major network problems
>>throughout the night and early hours of this morning.
>
>>This was eventually traced to 'ARP Storms' on part of the network and
>>the offending part of the network was isolated to allow the major
>>services to be restored soon after 10:00 this morning.
>
>Excuse my thickness but what is an 'ARP Storm'??!

ARP stands for Address Resolution Protocol and is the method
used on broadcast media (e.g. Ethernet) to translate an IP address
into a physical layer address. This is done by sending a broadcaast
packet saying "Who has IP address w.x.y.z ??" The node whose IP
address is w.x.y.z then sends a directed packet back to the requesting
node containing its physical address. Communication can then take
place with directed packets between the two nodes.

Excessive ARP traffic can rapidly bring a network to its knees, not least
brecause of the CPU load on the nodes, which (by definition) have to
receive and process all broadcast packets on the LAN, just to see
if they should do something with them. All sorts of problems can
lead to ARP storms, but the first step is usually to isolate
bits of the network and see where the offending node(s) might be,
and also to get at least some of the systems working.

Oh yes - it gets worse if you're using switched ethernet, because
you only get 10Mb/s of broadcast bandwidth across ALL ports, whereas
you get 10Mb/s of bandwidth between any 2 ports on the switch. (assuming
10Mb/s switches)

Demon use ATM (Asynchronous Transfer Mode - another physical layer)
now - 'fraid I don't know enough off the top of my head about how
that behaves with ARP storms. Come to think of it, doesn't its address
resolution avoid use of broadcasts ?? I've only spent a couple of
days playing with ATM to date.

HTH

--
Mike Pellatt, VCS Limited (A Knowledge Group company)
Tel: (+44) 117 9007500 Fax: (+44) 117 9007501 Mobile: (+44) 468 192021
Home Page: http://www.ktgroup.co.uk/~mike/


Tom Hughes

unread,
Sep 14, 1996, 3:00:00 AM9/14/96
to

In article <slrn53lc2...@lurch.ktgroup.co.uk> Mike Pellatt (mi...@lurch.ktgroup.co.uk) wrote:

> Demon use ATM (Asynchronous Transfer Mode - another physical layer)
> now - 'fraid I don't know enough off the top of my head about how
> that behaves with ARP storms. Come to think of it, doesn't its address
> resolution avoid use of broadcasts ?? I've only spent a couple of
> days playing with ATM to date.

IIRC they use ATM between ethernet switches, so there will still
be ARP in use between nodes on the same switch. Like you, I don't
know enough about ATM to know how it does address resolution, but
surely ARP broadcasts must be passed across the ATM network between
the switches, or they'd need to be routers not switches ;-)

Tom

--
Tom Hughes (t...@compton.demon.co.uk)
http://www.compton.demon.co.uk/

...Even bad sex is better than no sex.

Neil J. McRae

unread,
Sep 14, 1996, 3:00:00 AM9/14/96
to

In article <$BRCTCAg...@force2.demon.co.uk>,

Simon JD <si...@force2.demon.co.uk> wrote:
>Excuse my thickness but what is an 'ARP Storm'??!

I'd guess its when all the machines tell each other at the same time
who they are, and who they know about. Or it could mean
that someone switched on proxy arp on a P-50 ;-)

Neil
--
Neil J. McRae. Alive and Kicking. Easynet Group PLC
ne...@EASYNET.NET NetBSD/sparc: 100% SpF (Solaris protection Factor)
Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>

Neil J. McRae

unread,
Sep 14, 1996, 3:00:00 AM9/14/96
to

In article <19960914....@compton.demon.co.uk>,

Tom Hughes <t...@compton.demon.co.uk> wrote:
>IIRC they use ATM between ethernet switches, so there will still
>be ARP in use between nodes on the same switch. Like you, I don't
>know enough about ATM to know how it does address resolution, but
>surely ARP broadcasts must be passed across the ATM network between
>the switches, or they'd need to be routers not switches ;-)
>

Uhh. ATM is a switching method :-)

[note this is a very brief basic ATM explaination]

Ethernet is a connectionless state whereas
ATM requires a call to be placed much in the same way a telephone switch
works. It is a direct Connection From point A to B.

ATM is a glorified Telephone switch in basic terms, everything is more
virtual :-) Each of Ethernet switch has to have a virtual circuit between them.
Which is very much like a telephone call.

Look at:

http://www.atmforum.com/

and

http://www.xylan.com/toolkit/toolkit.html

Regards,
Neil.

0 new messages