Switch is scanning? Like virus

burleyman · ‎08-12-2008

I am seeing allot of ARP requests that looking like the switch (probally something spoofing the switch) is scanning our network and incrementing by one....like something has a virus. Here is what I am seeing in the switch....

Aug 12 19:12:54: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,

dst 10.0.61.176 0000.0000.0000 Vlan10

Aug 12 19:12:55: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,

dst 10.0.61.195 0000.0000.0000 Vlan10

Aug 12 19:12:56: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,

dst 10.0.61.196 0000.0000.0000 Vlan10

Aug 12 19:12:56: IP ARP: sent req src 10.0.0.254 0021.1b83.0000,

dst 10.0.61.168 0000.0000.0000 Vlan10

10.0.0.254 is our switch

this started at 10.0.0.0 and is now up to 10.0.65.X

How can I find out what is doing this?

Mike

andrew.butterworth · ‎08-12-2008

I am assuming this is this a layer-3 switch? If so this is just normal ARP'ing as the switch (router) is trying to forward packets to hosts on it's directly connected VLAN 10 it doesn't have ARP entries for. It could be legitimate traffic or it could be an infected host that is generating the traffic. I suggest you put a sniffer on and attempt to find the IP source that is generating the 'sweeps' of traffic.

HTH

Andy

burleyman · ‎08-13-2008

We found the issue. It looks like it was a misconfigured subnet mask.

Thanks for your help.

Mike