arp broadcast traffic flooding
fooler at skyinet.net
Thu Sep 4 02:11:03 GMT 2003
i have seen lately that there is a rampant arp broadcast traffic flooding on my multiple networks in different locations... i tried to block all kinds of icmp and all udp ports temporarily since this is the most widely used for scanning a network... a couple of minutes blocking it temporarily, the arp broadcast traffic is still there flooding it... i didnt include tcp blocking because i dont think the rate of arp broadcast is fast enough for a tcp transaction to do that... i tried to tcpdump and enabled log_in_vain on freebsd to see if there is someone trying to port scan within our network, unfortunately there is none...what i noticed is that, the router is arping a lots of unlive ip addresses within that segment block.. for example, on an a.b.c.0/255.255.255.0 segment and there are only three live ip addressses (eg. .1, .2 and .3), the router is arping from .4 to .254 randomly... the rate of arping of unlive ip addresses is 1 to 2 arp(s) per second (tcpdump -n arp)...
what do you think of this guys? is this part of scanning? bugs on the cisco router IOS? or the IOS is infected by a unknown exploitation?
my IOS version is 12.1(19)...
More information about the unisog