cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6113
Views
10
Helpful
7
Replies

Too many ARP broadcasts

IgorHamzic
Level 1
Level 1

Hi all. We have encountered a weird ARP broadcast problem.

The problem is that we have a range of hosts that do ARP broadcasts requesting who has an IP address in their LAN segment. Those hosts send a new broadcast cca. every 4 seconds to another address whose value is greater by 1 than the previous IP. Something like this:

1. broadcast: x.x.x.x

2. broadcast: x.x.x.x+1

3. broadcast: x.x.x.x+2

.

.

.

It looks like a malware or a virus is doing the scan of the LAN segment. Can anyone tell me if they have encountered this before and more importantly how to beat it?

1 Accepted Solution

Accepted Solutions

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.

If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

View solution in original post

7 Replies 7

andrew.prince
Level 10
Level 10

That does not look good, but it might not be malware or a virus, an IT person could be scanning the local IP subnet to see if hosts are alive etc.

What you need to do, is packet sniff the MAC address of the requester and track that device or devices down and see what's on that machine.

It isn't an administrator we have already checked. The PC's are used by regular users in the network.

We have tracked some machines and we are checking what's on those machines. I'll post any progress.

Any more advice is greatly appreciated.

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.

If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

jorg.ramakers
Level 1
Level 1

Hi,

Also make sure the proxy arp is disabled.

Proxy arp is only used when no gateway is configured on the client. So the arp broadcasts stay local on the segment.

Proxy arp is enabled by default on cisco.

On vlan interface configure

no ip proxy arp

Cheers

Jorg

I'll try with the storm-control first so we will see what's going on.

We have also detected a new virus in the network so I don't if there is connection between the two.

Sorry for not posting for a while. Anyhow the problem with ARP broadcast was a virus that spread through the network and a few zombie computers.

We have managed to contain and eliminate the virus since then. Thanks everyone for help.

Igor

Thank you for posting back to this thread and indicating that you had resolved the issue and expalining what the issue was. It makes the forum more useful when people can read about an issue and can get confirmation of what the issue turned out to be and how it was resolved.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: