Network flooded by strange gratuitous ARP broadcasts
Posted on 2006-11-16
We have a client whose LAN is severely congested - using Ethereal to do a packet capture we discovered a block of workstations in the network are broadcasting out a huge number of gratuitous ARP requests. What's strange is that the network is on a single subnet (192.168.10.0) while the ARP requests are for IP's outside of this subnet (eg 192.168.30.32, 192.168.25.44, 192.168.44.24).
I've looked up gratuitous ARP packets and it looks like they're a self-discovery protocol - which means the target address should be the same as source address. The 10 or so workstations issuing these broadcasts are on the 192.168.10.0 subnet (they can be pinged and RDP'd using the 192.168.10.0 address) - so I can't explain why they would be sending out ARP packets with a source address of 192.168.30.32 or 192.168.25.44.
When I physically unplug one of these workstations from the network the particular ARP broadcasts from that MAC source address stop, so I don't think there's spoofing going on.
I checked IP address config using 'ipconfig /all' and through Windows network connection properties and only see the 192.168.10.xxx address and not anything else.
At this point I'm thinking either it a virus or some misconfigured software. (these are 3D rendering stations - there's not a lot of software installed on them)
Any help greatly appreciated!