Solved

Network flooded by strange gratuitous ARP broadcasts

Posted on 2006-11-16
19
2,222 Views
Last Modified: 2008-04-14
We have a client whose LAN is severely congested - using Ethereal to do a packet capture we discovered a block of workstations in the network are broadcasting out a huge number of gratuitous ARP requests.  What's strange is that the network is on a single subnet (192.168.10.0) while the ARP requests are for IP's outside of this subnet (eg 192.168.30.32, 192.168.25.44, 192.168.44.24).

I've looked up gratuitous ARP packets and it looks like they're a self-discovery protocol - which means the target address should be the same as source address.  The 10 or so workstations issuing these broadcasts are on the 192.168.10.0 subnet (they can be pinged and RDP'd using the 192.168.10.0 address) - so I can't explain why they would be sending out ARP packets with a source address of 192.168.30.32 or 192.168.25.44.

When I physically unplug one of these workstations from the network the particular ARP broadcasts from that MAC source address stop, so I don't think there's spoofing going on.

I checked IP address config using 'ipconfig /all' and through Windows network connection properties and only see the 192.168.10.xxx address and not anything else.  

At this point I'm thinking either it a virus or some misconfigured software. (these are 3D rendering stations - there's not a lot of software installed on them)

Any help greatly appreciated!

Thanks

Chris

0
Comment
Question by:smocohiba
  • 6
  • 5
  • 3
  • +4
19 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17962339
Any of these boxes running VMWare or Virtual PC?

IIRC, there is a virus that does this.  Do you have anti-virus software?
0
 

Author Comment

by:smocohiba
ID: 17962474
I don't believe these workstations have anti-virus software.  I'll have one of them run an online scan.  

They shouldn't be running any virtual machine software, but I'll check for that as well.

Thanks!
0
 
LVL 3

Expert Comment

by:ctrost
ID: 17965118
Do those machines have Class C or Class B subnet masks?  (255.255.255.0 or 255.255.0.0)  
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:smocohiba
ID: 17966130
They're using class C masks. I ran an online virus scanner on a couple of the machines and they came back clean.
0
 
LVL 3

Expert Comment

by:ctrost
ID: 17966200
Try to ping and nslookup 192.168.30.32 or 192.168.25.44 and see if they reply....better yet, see if they reply with hostnames
0
 

Author Comment

by:smocohiba
ID: 17966496
Ping gets no replies on any of these addresses, nor nslookup.  I never see any replies to these ARP broadcasts in the packet capture.

thanks!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17968185
You would need to install some type of software on the PC's that monitor and log what processes send IP data out.

By chance are they running IIS or some other Websever (or any other IP sever based software)?  Could one of these be configured to listen on one of these bad IP addresses?
0
 

Author Comment

by:smocohiba
ID: 17968483
Thanks - any recommendation on monitoring software?

0
 

Expert Comment

by:DavidLH
ID: 17968548
In ethereal what are the source IP addresses of the ARP packets?  Are they all coming from the same computer or from different computers?

If they are all coming from the same computer make sure to virus scan that computer.

Also is there any organization to the ARP requests, one time I saw a virus Arping for sequential addresses.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17968634
Honestly I am not sure of any packages that will do this.  You know I think I found a idea for a new product.  All I need to do is learn how to program under Windows. :)
0
 
LVL 16

Assisted Solution

by:btassure
btassure earned 100 total points
ID: 17978510
There is one.

netstat -ano in windows xp will list the connections available, their states and the process id that is using them (which you can compare to task manager for the service/application name)

if it is running as part of an svchost then type tasklist /svc in a command prompt to show what tasks are running within each svchost and possibly disable extraneous software.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17979185
The netstat -ano will not work.  

First this command shows open TCP and or UDP connection, which ARP does not have.

Second unless somebody has written a low level IP based application the IP stack issues ARP's, not an task.  The same is true with other functions like dns name resolution.  The IP stack handles this.

An ARP does not require an open UDP or TCP connection and so you can't tell.  Example:  try doing a netstat -ano while issuing a ping with the -t option.  You don't see ping in the list because it does not have a TCP or UDP connection active.

Some IP function will not show up in a netstat  command, like arp, ping, and even dns lookups because they don't invlove a TCP connection and they don't invlove listening for a UDP repsonse on a specific port.
0
 
LVL 16

Expert Comment

by:btassure
ID: 17979364
Sorry, I misread your original post. I thought you were referring to TCP data rather than IP. My bad :o)
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 100 total points
ID: 17979700
Actually thinking about it some more doing a netstat -ano may help.  

If whatever is doing this does have a TCP or UPD socket open, it should stand out like a sore thumb as it he should see something that has a localaddress equal to one of the offending IP address.  

It whatever is doing this is just sending out ARP's, then netstat will not help and I am not sure what might.

So go ahead and do the netstat -ano like btassure suggests and see if there is anything with a socket open with one of the offending IP addresses.
0
 
LVL 16

Expert Comment

by:btassure
ID: 17979742
:oD
0
 

Assisted Solution

by:sachulinux
sachulinux earned 100 total points
ID: 18036051
Try to replace lan card and make sure you disable on board lan card.
0
 
LVL 1

Expert Comment

by:jrtall
ID: 18812857
Have same quandry, did you find an answer to this question?
0
 

Author Comment

by:smocohiba
ID: 18817156
Unfortunately no - client was unwilling to investigate the issue further with us.  They may have resolved on their own or with another vendor
0
 

Accepted Solution

by:
smocohiba earned 0 total points
ID: 20054372
Hi - just wanted to post a follow up to this question.  The issue was resolved by another one of our administrators.  It turned out that the integrated Intel NIC on the motherboards of a group of 24 identical workstations were causing the mysterious ARP broadcasts.  It took a firmware update to each of the mainboards to stop the broadcasts.

Hope this helps anyone else who may have the same problem
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Valid LIN protocol Protected ID values 1 40
Multiple times a day Computer loses internet connection 17 87
Network access 4 40
Filter IP range with PowerShell 1 41
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question