[unisog] arp broadcast traffic flooding

Jordan Wiens jwiens at nersp.nerdc.ufl.edu
Thu Sep 4 03:33:22 GMT 2003

Most likely the result of many infected nachi hosts.  It does lots and
lots of ping sweeps continuously.  Shutting it off temporarily won't stop
it as it will keep going.  We've had some fun and interesting arp storms
and icmp flooding on various parts of campus as a result.

You might have to look around to find the source of the ICMP packets that
are causing the router to make the arp requests, but I can almost promise
that you'll find them, and they'll be 92 bytes long.

Jordan Wiens, CISSP
UF Network Incident Response Team

On Thu, 4 Sep 2003, fooler wrote:

> hi all,
>     i have seen lately that there is a rampant arp broadcast traffic flooding on my multiple networks in different locations... i tried to block all kinds of icmp and all udp ports temporarily since this is the most widely used for scanning a network... a couple of minutes blocking it temporarily, the arp broadcast traffic is still there flooding it... i didnt include tcp blocking because i dont think the rate of arp broadcast is fast enough for a tcp transaction to do that... i tried to tcpdump and enabled log_in_vain on freebsd to see if there is someone trying to port scan within our network, unfortunately there is none...what i noticed is that, the router is arping a lots of unlive ip addresses within that segment block.. for example, on an a.b.c.0/ segment and there are only three live ip addressses (eg. .1, .2 and .3), the router is arping from .4 to .254 randomly... the rate of arping of unlive ip addresses is 1 to 2 arp(s) per second (tcpdump -n arp)...
>     what do you think of this guys? is this part of scanning? bugs on the cisco router IOS? or the IOS is infected by a unknown exploitation?
>     my IOS version is 12.1(19)...
> fooler.

More information about the unisog mailing list