11-25-2008 02:46 AM - edited 03-06-2019 02:39 AM
Hi all. We have encountered a weird ARP broadcast problem.
The problem is that we have a range of hosts that do ARP broadcasts requesting who has an IP address in their LAN segment. Those hosts send a new broadcast cca. every 4 seconds to another address whose value is greater by 1 than the previous IP. Something like this:
1. broadcast: x.x.x.x
2. broadcast: x.x.x.x+1
3. broadcast: x.x.x.x+2
.
.
.
It looks like a malware or a virus is doing the scan of the LAN segment. Can anyone tell me if they have encountered this before and more importantly how to beat it?
Solved! Go to Solution.
11-25-2008 03:24 AM
If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.
If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!
11-25-2008 03:09 AM
That does not look good, but it might not be malware or a virus, an IT person could be scanning the local IP subnet to see if hosts are alive etc.
What you need to do, is packet sniff the MAC address of the requester and track that device or devices down and see what's on that machine.
11-25-2008 03:18 AM
It isn't an administrator we have already checked. The PC's are used by regular users in the network.
We have tracked some machines and we are checking what's on those machines. I'll post any progress.
Any more advice is greatly appreciated.
11-25-2008 03:24 AM
If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.
If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!
11-25-2008 05:18 AM
Hi,
Also make sure the proxy arp is disabled.
Proxy arp is only used when no gateway is configured on the client. So the arp broadcasts stay local on the segment.
Proxy arp is enabled by default on cisco.
On vlan interface configure
no ip proxy arp
Cheers
Jorg
11-25-2008 06:47 AM
I'll try with the storm-control first so we will see what's going on.
We have also detected a new virus in the network so I don't if there is connection between the two.
12-10-2008 06:26 AM
Sorry for not posting for a while. Anyhow the problem with ARP broadcast was a virus that spread through the network and a few zombie computers.
We have managed to contain and eliminate the virus since then. Thanks everyone for help.
12-10-2008 10:15 AM
Igor
Thank you for posting back to this thread and indicating that you had resolved the issue and expalining what the issue was. It makes the forum more useful when people can read about an issue and can get confirmation of what the issue turned out to be and how it was resolved.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: