[c-nsp] Arp flood?

Ivan Groenewald ivang2 at xtrahost.co.uk
Thu Nov 4 09:57:29 EST 2004


Have you checked your flow stats?

You can check the flow accounting for destination interface traffic.
Add: "ip route-cache flow" on the interfaces where traffic enters your
switch
Then have a look at "show ip cache flow". That will show a
source/destination traffic table based on the ingress flows for the
interfaces you the enabled flow accounting for. 

If the source of the traffic is external and is a form of network or port
scan; it should show up in nice sequential rows.

Ivan


Tel: 0845 345 0919
Xtraordinary Hosting, 6 The Clocktower, South Gyle, Edinburgh, EH12 9LB
http://www.xtrahost.co.uk

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of FXCM - Brandon
Palmer
Sent: 04 November 2004 14:20
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Arp flood?

I'm seeing some rather devastating traffic on my network at the moment.  The
symptoms are that my ARP cache keeps getting filled with "Incomplete"
entries (even for IP addresses that are up).  In debug mode,  the ARP
requests are coming from the switch itself (6506,  sup2,  12.1.22 native).
Goggling for it suggest that maybe this is a nmap flood somehow?  If that
were the case, I could understand my ARP table filling w/ Inc entries for
IPs that are not up,  but what about the ones that are?  Memory use is
normal,  CPU use is normal.  I've tried to tcpdump on a span port for my
uplinks and don't see traffic destin for the empty IP addresses so i'm not
sure where the requests are coming from.  Network is clean of all other
devices that could be conflicting IP.

Any suggestions?

Thanks folks.

- Brandon

____________________________________________________________________________
_________________________________________________
FXCM, L.L.C.R assumes no responsibility for errors, inaccuracies or
omissions in these materials. FXCM, L.L.C.R does not warrant the accuracy or
completeness of the information, text, graphics, links or other items
contained within these materials. FXCM, L.L.C.R shall not be liable for any
special, indirect, incidental, or consequential damages, including without
limitation losses, lost revenues, or lost profits that may result from these
materials. All information contained in this e-mail is strictly confidential
and is only intended for use by the recipient.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list