Solved

Network flooded by strange gratuitous ARP broadcasts

Posted on 2006-11-16
19
2,197 Views
Last Modified: 2008-04-14
We have a client whose LAN is severely congested - using Ethereal to do a packet capture we discovered a block of workstations in the network are broadcasting out a huge number of gratuitous ARP requests.  What's strange is that the network is on a single subnet (192.168.10.0) while the ARP requests are for IP's outside of this subnet (eg 192.168.30.32, 192.168.25.44, 192.168.44.24).

I've looked up gratuitous ARP packets and it looks like they're a self-discovery protocol - which means the target address should be the same as source address.  The 10 or so workstations issuing these broadcasts are on the 192.168.10.0 subnet (they can be pinged and RDP'd using the 192.168.10.0 address) - so I can't explain why they would be sending out ARP packets with a source address of 192.168.30.32 or 192.168.25.44.

When I physically unplug one of these workstations from the network the particular ARP broadcasts from that MAC source address stop, so I don't think there's spoofing going on.

I checked IP address config using 'ipconfig /all' and through Windows network connection properties and only see the 192.168.10.xxx address and not anything else.  

At this point I'm thinking either it a virus or some misconfigured software. (these are 3D rendering stations - there's not a lot of software installed on them)

Any help greatly appreciated!

Thanks

Chris

0
Comment
Question by:smocohiba
  • 6
  • 5
  • 3
  • +4
19 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17962339
Any of these boxes running VMWare or Virtual PC?

IIRC, there is a virus that does this.  Do you have anti-virus software?
0
 

Author Comment

by:smocohiba
ID: 17962474
I don't believe these workstations have anti-virus software.  I'll have one of them run an online scan.  

They shouldn't be running any virtual machine software, but I'll check for that as well.

Thanks!
0
 
LVL 3

Expert Comment

by:ctrost
ID: 17965118
Do those machines have Class C or Class B subnet masks?  (255.255.255.0 or 255.255.0.0)  
0
 

Author Comment

by:smocohiba
ID: 17966130
They're using class C masks. I ran an online virus scanner on a couple of the machines and they came back clean.
0
 
LVL 3

Expert Comment

by:ctrost
ID: 17966200
Try to ping and nslookup 192.168.30.32 or 192.168.25.44 and see if they reply....better yet, see if they reply with hostnames
0
 

Author Comment

by:smocohiba
ID: 17966496
Ping gets no replies on any of these addresses, nor nslookup.  I never see any replies to these ARP broadcasts in the packet capture.

thanks!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17968185
You would need to install some type of software on the PC's that monitor and log what processes send IP data out.

By chance are they running IIS or some other Websever (or any other IP sever based software)?  Could one of these be configured to listen on one of these bad IP addresses?
0
 

Author Comment

by:smocohiba
ID: 17968483
Thanks - any recommendation on monitoring software?

0
 

Expert Comment

by:DavidLH
ID: 17968548
In ethereal what are the source IP addresses of the ARP packets?  Are they all coming from the same computer or from different computers?

If they are all coming from the same computer make sure to virus scan that computer.

Also is there any organization to the ARP requests, one time I saw a virus Arping for sequential addresses.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 57

Expert Comment

by:giltjr
ID: 17968634
Honestly I am not sure of any packages that will do this.  You know I think I found a idea for a new product.  All I need to do is learn how to program under Windows. :)
0
 
LVL 16

Assisted Solution

by:btassure
btassure earned 100 total points
ID: 17978510
There is one.

netstat -ano in windows xp will list the connections available, their states and the process id that is using them (which you can compare to task manager for the service/application name)

if it is running as part of an svchost then type tasklist /svc in a command prompt to show what tasks are running within each svchost and possibly disable extraneous software.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17979185
The netstat -ano will not work.  

First this command shows open TCP and or UDP connection, which ARP does not have.

Second unless somebody has written a low level IP based application the IP stack issues ARP's, not an task.  The same is true with other functions like dns name resolution.  The IP stack handles this.

An ARP does not require an open UDP or TCP connection and so you can't tell.  Example:  try doing a netstat -ano while issuing a ping with the -t option.  You don't see ping in the list because it does not have a TCP or UDP connection active.

Some IP function will not show up in a netstat  command, like arp, ping, and even dns lookups because they don't invlove a TCP connection and they don't invlove listening for a UDP repsonse on a specific port.
0
 
LVL 16

Expert Comment

by:btassure
ID: 17979364
Sorry, I misread your original post. I thought you were referring to TCP data rather than IP. My bad :o)
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 100 total points
ID: 17979700
Actually thinking about it some more doing a netstat -ano may help.  

If whatever is doing this does have a TCP or UPD socket open, it should stand out like a sore thumb as it he should see something that has a localaddress equal to one of the offending IP address.  

It whatever is doing this is just sending out ARP's, then netstat will not help and I am not sure what might.

So go ahead and do the netstat -ano like btassure suggests and see if there is anything with a socket open with one of the offending IP addresses.
0
 
LVL 16

Expert Comment

by:btassure
ID: 17979742
:oD
0
 

Assisted Solution

by:sachulinux
sachulinux earned 100 total points
ID: 18036051
Try to replace lan card and make sure you disable on board lan card.
0
 
LVL 1

Expert Comment

by:jrtall
ID: 18812857
Have same quandry, did you find an answer to this question?
0
 

Author Comment

by:smocohiba
ID: 18817156
Unfortunately no - client was unwilling to investigate the issue further with us.  They may have resolved on their own or with another vendor
0
 

Accepted Solution

by:
smocohiba earned 0 total points
ID: 20054372
Hi - just wanted to post a follow up to this question.  The issue was resolved by another one of our administrators.  It turned out that the integrated Intel NIC on the motherboards of a group of 24 identical workstations were causing the mysterious ARP broadcasts.  It took a firmware update to each of the mainboards to stop the broadcasts.

Hope this helps anyone else who may have the same problem
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Let’s list some of the technologies that enable smooth teleworking. 
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now