Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ARP Flooding from Cisco Router

Posted on 2003-12-02
7
Medium Priority
?
2,135 Views
Last Modified: 2013-11-29
Basically stated I am experiencing serious ARP flooding from my Cisco Router in one of my remote facilities.  This facility is connected to the corporate network via EIGRP routed traffic.  But every hour or so, we receive an ARP flood such as the following:

10.11.x.x network
255.255.0.0 subnet

ARP flooding begins at 10.11.0.1 and enumerateds ARP requests through and including 10.11.255.254.  

We have updated all of the clients in the local subnet with all of the Microsoft Critical Updates and have run the Welchia removal tool from Symantec.  We still get these ARP Requests from our Cisco Router.

Any thoughts.  I am at my wits end.  Thanks.
0
Comment
Question by:mville92
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 672 total points
ID: 9863245
sure sounds like welchia or a cousin...
You could deny icmp to mitigate the problem if it's inside:

access-list 123 deny icmp any any echo
access-list 123 permit ip any any
Interface Eth 0
 ip access-group 123 in

also EIGRP in IOS 11 - 12 is vulnerable to a DOS atttack if you haven't implemented EIGRP authentication using MD5 hashes or aren't using  extended access lists to match your expected neighbors


0
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 664 total points
ID: 9863264
0
 

Assisted Solution

by:chucksmith
chucksmith earned 664 total points
ID: 9863676
Here is something to try, I uise this all the time to see what is going on from my routers. It will eat up some resources, but believe me it is well worth it. If you are running 12.x code on the router it should be fine.

Enable ip route-cache flow on your interfaces (all of them).  Then give it some time and then from an enable promot type show ip cache flow.

You'll see a lot of data, but what you are mostly interested in will be the Source and Destination columns. Typically you see one source (listed a bunch of times) trying to talk to the world (hitting a lot of destination ip addresses). Another thing, is that typically each of those destinations will only have 1 or 2 packets that were sent to it.  Then I iusually run a scanner against that machine to tell me if it has the patches installed. If any patch is not installed on the machine or I have any reason to believe it is vulnerable, I will go in and block the ip address pending further investigation.  Of course, to do this you need your management supprt and such - which we luckily do.

If you can block the device at layer 2, that is the BEST option to contain it. Worst case scenario is to block it at layer 3 - but its better than nothing.

Hope this help you out some,
Chuck
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9878669
made any headway?
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question