How to stop my VPS from picking up ARP reqs it is not supposed to?

Question

Machine: Xen-3.0 image running stable Debian Linux 2.6.18, pretty vanilla.

My VPS provider asks me to deal with some trouble my image is causing, namely handling IP addresses it is not supposed to:

The problem is that your server seems to be configured to use IPs that have not been appointed to you. Your server responds to ARP requests for the IPs 81.171.111.219 and 81.171.111.218. But you are not allowed to use those.

Not explicitly, as far as I can tell! At least, nothing under /etc or /var/tmp mentions these IP addresses. But arp -v says something I can't make sense of:

Address                  HWtype  HWaddress           Flags Mask            Iface
81.171.111.1             ether   00:0C:DB:E3:80:00   C                     eth0
Entries: 1      Skipped: 0      Found: 1

What is it listening to? The possibilities seem to be:

It's not my fault: my VPS providers have overlooked something. What might that be?
81.171.111.1 means I'm happy listening in on ARP requests that I shouldn't be: how do I change this? In any case, what does this mean?
I'm looking in completely the wrong place for information on what my image is doing. Where should I be looking?

David Rickman · Answer 1 · 2010-04-03T14:05:28.130

1

Check out the arptables package for debian. Possibly could setup static ARP routes. There is little reason for your box to know how to get to other boxes via ARP, you could disable it entirely.

edited Apr 03 '10 at 14:05

answered Apr 03 '10 at 13:59

David Rickman

3,290
17
16

+1: "you could disable it entirely" - that is probably true; I'm looking into that. – Charles Stewart Apr 06 '10 at 09:26

score 0 · Answer 2 · answered Apr 03 '10 at 16:21

Take a look at /etc/rc.local for any static entry.
Please post the values of :

sysctl net.ipv4.conf.all|grep arp

Make sure you get the same results from :

arp -na and cat /proc/net/arp

You may have cache poisoning going on the network. The only way to stop it is to block them at the firewall (they could only allow you to request the gateway with firewall rules). You could also do this on your side.

Alternatively, I would suggest you to monitor what is going on with Wireshark. http://www.wireshark.org/

Could use tcpdump if you have to use a command line interface as well. — David Rickman, Apr 03 '10 at 16:42

score 0 · Accepted Answer · answered Apr 13 '10 at 11:25

The trouble was, as I didn't find out for myself, the ethernet interface was bound to the forbidden IP addresses, although only the gateway address was shown using route/apr/ip route show. ip addr show would have listed the missing addresses; using ip addr del on the two misconfigured ip addresses fixed the problem.

I should really learn more about Linux networking — this seems like it should have been obvious to me to check. I found Daniel Weiss' Proxy ARP with Linux useful.

How to stop my VPS from picking up ARP reqs it is not supposed to?

3 Answers3