arp flooding


we are experiencing a problem with our network.

we are being overrun with arp requests. the isp says there is no unusual traffic on the line.
does any one know where to begin looking for this problem?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


first off you will need to identify where they are coming from. sometimes a misconfigured computer can generate these otherwise it might be an attack.
use a packet sniffer and identify the source IP.

if you determine its coming from an internal computer then simply work with that problem pc.
if it is coming from external then take steps to block these such as a firewall or a IDS (intrusion detection system)

and it should just about be that simple.
   1- find whos doing it.
   2- fix it or block it.
You are most likely suffering from infected systems on your network.
Infections of Welchia, Nachia, and MSBLAST present these same symptoms:
You can shut off ARP replies to unlisted domains/ips on your router.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Hey, I just remembered something. Are you patched for the Code Red II worm?
Actually I need to clarify my first answer a little. A router performing Directed ARP procedures must filter the propagation of ARP Request packets to constrain the scope of potential "ARP floods" caused by misbehaving routers or hosts, and to terminate potential ARP loops that may occur during periods of routing protocol instability or as a result of inappropriate manual configurations. To control the propagation of an "ARP flood", a router performing Directed ARP procedures could limit the number of identical ARP Requests (i.e., same Source IP address and same Target IP address) that it would forward per small time interval (e.g., no more than one ARP Request per second). Forwarding of ARP Request packets introduces the possibility of ARP loops. The procedures used to control the scope of potential ARP floods may terminate some ARP loops, but additional procedures are needed if the time required to traverse a loop is longer than the timer used to control ARP floods.

The thing is simple ARP floods can be eliminated if routers never forward ARP Requests that were addressed to a link-level broadcast address. If your ISP is saying nothing is on the line my guess is that they mean "their side" of the line. So you may have an internal problem. Check and make sure your routers are acting as they're supposed to and make sure any server running IIS is patched for Code Red.
tryonixAuthor Commented:
i scanned all the computers on the network and none of them are infected.
i think i localized the problem,
i took all the computers off of the network , shut down the server and plugged my laptop
into the dsl router. so the only machine connected to the dsl router is my laptop. i am still getting massive arp requests 2000 - 5000 per minute. when i unplug the dsl line the requests stop. yet the isp still says there is no unusual traffic on the line. any ideas?
tryonixAuthor Commented:
oh and the arp broadcasts coming from the dsl router  are for every ip in our range.

I'll say it again. That is the exact symptoms of the Welchia and MSBlast infection.
The infected hosts are scanning every IP in the subnet looking for more hosts to infect.
when you scanned for virus did you disable the system restore on all the PC's that are Win ME & XP?
Also have you tried running Spybot S & D over the network to see what malware is running?
Check your subnet mask on the router...  Make sure its the same as the rest of your subnet.

Normail  arp requests are broadcasts, they must remain in the collision domain they originated in.
If the MAC address of the arp request corresponds to your DSL device I would check the ethernet setup on it's connection to your switch. A speed / duplex mismatch or poor cabling could cause communications problem. If you have a more sophisticated switch, I would make sure the DSL is plugged into an uplink port or a port which is expecting multiple hosts. If you have any hubs connected to your switch, try unplugging them.
I think it's unlikely you're suffering from a directed arp attack.

If this doesn't help, post your hardware models and configs (edit to remove site specific info) and a sample packet.
tryonixAuthor Commented:
i couldnt find any virus anywhere. i tried everything u guys said. still being flooded.

any more ideas?
You're going to have to get a decent sniffer with reporting capabilities on the collision domain with the router so that you can look at aggregated statistics.

You can use a simple sniffer like ethereal and try to acertain the source IP of the broadcasts, but you'll need something like CA's sniffer pro to paint the picture for you.

Try this if nobody will pop for a decent sniffer:
cheap sniffer:
A CLEAN simple build of 2000 or XP with all windows updates, no office - no nuthin' else.
Ethereal and windcap.

disconect everything from the network
put just your sniffer and the dsl on a HUB and watch the activity.
If you're getting flooded either your ISP is full of cr@p and you're the victim of a denial of service attack or your DSL router is whacked (misconfigures, bad ethernet interface or somthing)
if not - bring you machines up at ten minute intervals and start capturing packets when they've been up for a while
tryonixAuthor Commented:
i just found out that we share our dsl with 4 other companies. would a virus on one of thier systems cause the arp flooding on ours?

actually it would depend on how they "Share"
is there 1 DSL modem for all 4 companies?

i used to work for a DSL provider and am pretty sure you are not allowed to share a single business connection between 4 business, that is illegal. maybe all 4 business have DSL and share from the same physical trunk, but not the exact same connection.

either way your not gonna be able to tell by looking at it from the "outside"
you WILL need to capture a few packets and that will INSTANTLY tell you where the arp requests are origionating from. and then you can tracert the origionating host to further track it down.

tryonixAuthor Commented:
each company has its own dsl modem , but they are on the same trunk.

i didnt do a traceroute yet but ethereal lists the source ip as our router.

so if one of them has a virus ,  it would cause the arp flooding on ours?

If they have their own modems, they should not be affecting yours.
Even though the source packets look like they are coming from your router, the culprit is most likely still inside your network.
You need a sniffer...
Try a demo copy of Lanhound, or use ethereal

thats odd it looks as origionating from the router, routers will not forward ARP's so it shouldnt be coming from an external source.

first lets try to determine the router as a problem or not.
im wondering what the "discovery method" is for the router... try logging into the interface and search for anything relating to ARP. also look for anything about "IP Forwarding" and make sure it is NOT enabled.

tryonixAuthor Commented:
i have narrowed it down to either a bad router at the isp. or another company on the same trunk that has a virus on there systems.

it is definatly not a problem with our network. i unplugged everything from the dsl modem/router except for the dsl connection and a laptop with a fresh install of xp and etherreal. and we are still getting thousands of arps per second. when i disconnect the dsl the requests stop so its not our router that is doing it. it is definatly external. the requests are for every ip except the one the laptop is using. i can't see where the request are coming from all ethereal tells me is that they are arp requests and they are in the form -- who has -- tell router's ip. and the source ip is the router. ip forwarding is not enabled, the router dosn't let me block arps.

we need more bandwith any way so we are going with a T1, we will be getting a new router and a new range of ip's and we will no longer be sharing a trunk with anybody else. This should solve the problem. i hope


wow thats pretty wild, sounds like their equipment is not setup properly. i believe if you call your isp they will take care of you, business connections usually get a much higher priority than residential. also, if you do call them to support this, be a lil picky and upset about the performance you have recieved and you should be offered some kind of compensation.
tryonixAuthor Commented:
yeah,  the weirdest thing is the arp requests are only for our unused ips.

i called them up. all i got from them is - we can ping the router so everything is fine.

that is as far as they would go.

does anyone have any other ideas?


well.... we will have to prove that they need to do more.

first off, what exact bandwidth are you paying for? 768k?
next go to and see what your really getting.
IF you get results at half or less of what your paying for then i would call them back and tell them you "have been able to access the internet all along, but performance is unacceptable as its only half of what im paying for. i think i might have discovered the problem but am not sure and was wondering if you could get this taken care of."

then hopefully he'll ask you what you discovered and open a trouble ticket for you.
then checkup every 24 hours.
(IMPORTANT when explaining, be general about saying what you found, let them find the fine details cause thats their job... that and i hate it when customers call and try to tell me they know whats goin on when they dont know for sure) i would say something along the line of " i ran a network sniffer and noticed an enormous amount of ARP packets." and leave it at that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tryonixAuthor Commented:
thanks for the help guys

so did it ever get resolved?
tryonixAuthor Commented:
no we are gonna go with a t1
tryonixAuthor Commented:
has not been resolved still getting flooded. with ethereal i am seeing almost 90 percent of my traffic is arp traffic. at least 1000 arps a second. i give up. going with a t1 and new ips. should resolve problem (i hope)
sorry to hear that
T1's are pretty expensive but if you can utilize the bandwidth your likely to increase revenue


Did the T1 resolve this?

We are also getting ARP flooding but it is in the lab where we don't have an outside connection. Ours is comming from a W2K system.
tryonixAuthor Commented:
yes the T1 resolved it.

we are no longer getting flooded.
We are getting ARP flooding too but it is on a direct connect on a 1Gig connection from a Windows 2000 computer. We only get it when running at  high speed and with the Microsoft iSCSI initiator. Has anyone ever heard of such a thing?
sounds like a different question  ESQuicksall...
Yea, I re-submitted it under "ARP flooding with Microsoft iSCSI initiator".
I get tons of these in a tcp dump, These are stright offf the broadband network and nothing to do with my I.P or Gateway I.p so why the hell do I get them.

23:26:59.078518 arp who-has tell
23:26:59.099728 arp who-has tel
23:26:59.158508 arp who-has tel
23:26:59.285153 arp who-has tel
23:26:59.379440 arp who-has tel
23:26:59.407071 arp who-has tell
23:26:59.468876 arp who-has tel
23:26:59.478590 arp who-has tell
23:26:59.494445 arp who-has tell
23:26:59.506298 arp who-has tell
23:26:59.630377 arp who-has tell
23:26:59.653808 arp who-has tell
23:26:59.668562 arp who-has tell
My problem was due to too much going on in the computer. The IP stack was not able to respond to the ARP fast enough and hence another ARP was sent very quickly. We simply fixed the bug in our IP stack.
The computer at the "tell" address is the one sending the ARP. It is strange that so many different systems are all sending their ARP in the same second.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.