ARP Flooding from Cisco Router

Basically stated I am experiencing serious ARP flooding from my Cisco Router in one of my remote facilities.  This facility is connected to the corporate network via EIGRP routed traffic.  But every hour or so, we receive an ARP flood such as the following:

10.11.x.x network
255.255.0.0 subnet

ARP flooding begins at 10.11.0.1 and enumerateds ARP requests through and including 10.11.255.254.  

We have updated all of the clients in the local subnet with all of the Microsoft Critical Updates and have run the Welchia removal tool from Symantec.  We still get these ARP Requests from our Cisco Router.

Any thoughts.  I am at my wits end.  Thanks.
mville92Asked:
Who is Participating?
 
chicagoanCommented:
sure sounds like welchia or a cousin...
You could deny icmp to mitigate the problem if it's inside:

access-list 123 deny icmp any any echo
access-list 123 permit ip any any
Interface Eth 0
 ip access-group 123 in

also EIGRP in IOS 11 - 12 is vulnerable to a DOS atttack if you haven't implemented EIGRP authentication using MD5 hashes or aren't using  extended access lists to match your expected neighbors


0
 
chucksmithCommented:
Here is something to try, I uise this all the time to see what is going on from my routers. It will eat up some resources, but believe me it is well worth it. If you are running 12.x code on the router it should be fine.

Enable ip route-cache flow on your interfaces (all of them).  Then give it some time and then from an enable promot type show ip cache flow.

You'll see a lot of data, but what you are mostly interested in will be the Source and Destination columns. Typically you see one source (listed a bunch of times) trying to talk to the world (hitting a lot of destination ip addresses). Another thing, is that typically each of those destinations will only have 1 or 2 packets that were sent to it.  Then I iusually run a scanner against that machine to tell me if it has the patches installed. If any patch is not installed on the machine or I have any reason to believe it is vulnerable, I will go in and block the ip address pending further investigation.  Of course, to do this you need your management supprt and such - which we luckily do.

If you can block the device at layer 2, that is the BEST option to contain it. Worst case scenario is to block it at layer 3 - but its better than nothing.

Hope this help you out some,
Chuck
0
 
chicagoanCommented:
made any headway?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.