Hi all. We have encountered a weird ARP broadcast problem.
The problem is that we have a range of hosts that do ARP broadcasts requesting who has an IP address in their LAN segment. Those hosts send a new broadcast cca. every 4 seconds to another address whose value is greater by 1 than the previous IP. Something like this:
1. broadcast: x.x.x.x
2. broadcast: x.x.x.x+1
3. broadcast: x.x.x.x+2
It looks like a malware or a virus is doing the scan of the LAN segment. Can anyone tell me if they have encountered this before and more importantly how to beat it?
If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.
If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!