Solved

ARP Flooding from Cisco Router

Posted on 2003-12-02
7
2,083 Views
Last Modified: 2013-11-29
Basically stated I am experiencing serious ARP flooding from my Cisco Router in one of my remote facilities.  This facility is connected to the corporate network via EIGRP routed traffic.  But every hour or so, we receive an ARP flood such as the following:

10.11.x.x network
255.255.0.0 subnet

ARP flooding begins at 10.11.0.1 and enumerateds ARP requests through and including 10.11.255.254.  

We have updated all of the clients in the local subnet with all of the Microsoft Critical Updates and have run the Welchia removal tool from Symantec.  We still get these ARP Requests from our Cisco Router.

Any thoughts.  I am at my wits end.  Thanks.
0
Comment
Question by:mville92
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 168 total points
ID: 9863245
sure sounds like welchia or a cousin...
You could deny icmp to mitigate the problem if it's inside:

access-list 123 deny icmp any any echo
access-list 123 permit ip any any
Interface Eth 0
 ip access-group 123 in

also EIGRP in IOS 11 - 12 is vulnerable to a DOS atttack if you haven't implemented EIGRP authentication using MD5 hashes or aren't using  extended access lists to match your expected neighbors


0
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 166 total points
ID: 9863264
0
 

Assisted Solution

by:chucksmith
chucksmith earned 166 total points
ID: 9863676
Here is something to try, I uise this all the time to see what is going on from my routers. It will eat up some resources, but believe me it is well worth it. If you are running 12.x code on the router it should be fine.

Enable ip route-cache flow on your interfaces (all of them).  Then give it some time and then from an enable promot type show ip cache flow.

You'll see a lot of data, but what you are mostly interested in will be the Source and Destination columns. Typically you see one source (listed a bunch of times) trying to talk to the world (hitting a lot of destination ip addresses). Another thing, is that typically each of those destinations will only have 1 or 2 packets that were sent to it.  Then I iusually run a scanner against that machine to tell me if it has the patches installed. If any patch is not installed on the machine or I have any reason to believe it is vulnerable, I will go in and block the ip address pending further investigation.  Of course, to do this you need your management supprt and such - which we luckily do.

If you can block the device at layer 2, that is the BEST option to contain it. Worst case scenario is to block it at layer 3 - but its better than nothing.

Hope this help you out some,
Chuck
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9878669
made any headway?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now