Solved

ARP Flooding from Cisco Router

Posted on 2003-12-02
7
2,100 Views
Last Modified: 2013-11-29
Basically stated I am experiencing serious ARP flooding from my Cisco Router in one of my remote facilities.  This facility is connected to the corporate network via EIGRP routed traffic.  But every hour or so, we receive an ARP flood such as the following:

10.11.x.x network
255.255.0.0 subnet

ARP flooding begins at 10.11.0.1 and enumerateds ARP requests through and including 10.11.255.254.  

We have updated all of the clients in the local subnet with all of the Microsoft Critical Updates and have run the Welchia removal tool from Symantec.  We still get these ARP Requests from our Cisco Router.

Any thoughts.  I am at my wits end.  Thanks.
0
Comment
Question by:mville92
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 168 total points
ID: 9863245
sure sounds like welchia or a cousin...
You could deny icmp to mitigate the problem if it's inside:

access-list 123 deny icmp any any echo
access-list 123 permit ip any any
Interface Eth 0
 ip access-group 123 in

also EIGRP in IOS 11 - 12 is vulnerable to a DOS atttack if you haven't implemented EIGRP authentication using MD5 hashes or aren't using  extended access lists to match your expected neighbors


0
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 166 total points
ID: 9863264
0
 

Assisted Solution

by:chucksmith
chucksmith earned 166 total points
ID: 9863676
Here is something to try, I uise this all the time to see what is going on from my routers. It will eat up some resources, but believe me it is well worth it. If you are running 12.x code on the router it should be fine.

Enable ip route-cache flow on your interfaces (all of them).  Then give it some time and then from an enable promot type show ip cache flow.

You'll see a lot of data, but what you are mostly interested in will be the Source and Destination columns. Typically you see one source (listed a bunch of times) trying to talk to the world (hitting a lot of destination ip addresses). Another thing, is that typically each of those destinations will only have 1 or 2 packets that were sent to it.  Then I iusually run a scanner against that machine to tell me if it has the patches installed. If any patch is not installed on the machine or I have any reason to believe it is vulnerable, I will go in and block the ip address pending further investigation.  Of course, to do this you need your management supprt and such - which we luckily do.

If you can block the device at layer 2, that is the BEST option to contain it. Worst case scenario is to block it at layer 3 - but its better than nothing.

Hope this help you out some,
Chuck
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9878669
made any headway?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question