Too many ARP broadcasts

Answered Question
Nov 25th, 2008
User Badges:

Hi all. We have encountered a weird ARP broadcast problem.

The problem is that we have a range of hosts that do ARP broadcasts requesting who has an IP address in their LAN segment. Those hosts send a new broadcast cca. every 4 seconds to another address whose value is greater by 1 than the previous IP. Something like this:


1. broadcast: x.x.x.x

2. broadcast: x.x.x.x+1

3. broadcast: x.x.x.x+2

.

.

.


It looks like a malware or a virus is doing the scan of the LAN segment. Can anyone tell me if they have encountered this before and more importantly how to beat it?

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.


If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.

That does not look good, but it might not be malware or a virus, an IT person could be scanning the local IP subnet to see if hosts are alive etc.


What you need to do, is packet sniff the MAC address of the requester and track that device or devices down and see what's on that machine.



IgorHamzic Tue, 11/25/2008 - 03:18
User Badges:

It isn't an administrator we have already checked. The PC's are used by regular users in the network.

We have tracked some machines and we are checking what's on those machines. I'll post any progress.

Any more advice is greatly appreciated.

Correct Answer

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.


If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

jorg.ramakers Tue, 11/25/2008 - 05:18
User Badges:

Hi,


Also make sure the proxy arp is disabled.

Proxy arp is only used when no gateway is configured on the client. So the arp broadcasts stay local on the segment.


Proxy arp is enabled by default on cisco.


On vlan interface configure

no ip proxy arp


Cheers


Jorg

IgorHamzic Tue, 11/25/2008 - 06:47
User Badges:

I'll try with the storm-control first so we will see what's going on.

We have also detected a new virus in the network so I don't if there is connection between the two.

IgorHamzic Wed, 12/10/2008 - 06:26
User Badges:

Sorry for not posting for a while. Anyhow the problem with ARP broadcast was a virus that spread through the network and a few zombie computers.

We have managed to contain and eliminate the virus since then. Thanks everyone for help.

Richard Burts Wed, 12/10/2008 - 10:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Igor


Thank you for posting back to this thread and indicating that you had resolved the issue and expalining what the issue was. It makes the forum more useful when people can read about an issue and can get confirmation of what the issue turned out to be and how it was resolved.


HTH


Rick

Actions

This Discussion