iPhone ARP Requests Flood LAN
iPhone
Recently a client was complaining of network issues (the internet was down). Upon further investigation I realized that no one was getting an IP address even though the links were up between my switches and DHCP server. I could set the IP statically but still wasn’t able to ping anything on the network. After verifying that the switches were working properly and the link between them was up we fired up Wireshark. This network, like a lot of networks, was a mix of WLAN and LAN clients. When we captured packets on just the WIRED network everything seemed fine, we would capture an average of about 20 packets per second. When we plugged in the switch that handled the WAPs the laptop running Wireshark simply stopped responding. We unplugged the switch with the WAPs and gave the laptop some time to process what had happened.
Someone’s iPhone was sending about 1,000,000 ARP requests every 5 seconds for a router that didn’t exist on this network. It seems that this person with the rogue iPhone had the a similar network at home and was desperately looking for, what it thought, was the default gateway. This is obviously an error with the iPhone. So, we tracked Cam down, disabled the WLAN card and assumed the problem was solved. Just for grins we ran Wireshark again only to find another iPhone that was doing the same thing. We decided to deny all iDevices a valid DHCP address to protect the integrity of the network by going to Windows DHCP and creating a deny list with a wildcard MAC that encompassed every iDevice.
Another interesting thing about this problem was that the iPhones were able to access the internet without delay while other devices were rendered useless by the flood of broadcasts. It’s also important to note that this solution does not help the network if the iPhone somehow gets assigned a static IP.
F0:DC:E2:xx:xx:xx is the OUI for the iPhone 4s that needs to be blocked.
For information about how Acumen can help you with problems like this one, visit our About Us page.
