[c-nsp] Arp flood?

Amol Sapkal amolsapkal at gmail.com
Fri Nov 5 03:42:04 EST 2004 

Check for smurf attacks.

If any of your machine is infected and is sending traffic to outside
world with source IPs belonging to its subnet, you are bound to see
many incomplete ARP entries in your arp table.

Is this happening at one of your branch locations? I think the source
of the ingress traffic to this branch will be from few other IPs at
other locations.





On Fri, 5 Nov 2004 16:14:28 +0800, cameron.dry at didata.com.au
<cameron.dry at didata.com.au> wrote:
> Make sure that you don't have any routes pointing to interfaces - they
> should all be pointing to next-hop addresses (where possible).
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of FXCM - Brandon
> Palmer
> Sent: Thursday, 4 November 2004 10:20 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Arp flood?
> 
> I'm seeing some rather devastating traffic on my network at the moment.
> The symptoms are that my ARP cache keeps getting filled with
> "Incomplete" entries (even for IP addresses that are up).  In debug
> mode,  the ARP requests are coming from the switch itself (6506,  sup2,
> 12.1.22 native).  Goggling for it suggest that maybe this is a nmap
> flood somehow?  If that were the case, I could understand my ARP table
> filling w/ Inc entries for IPs that are not up,  but what about the ones
> that are?  Memory use is normal,  CPU use is normal.  I've tried to
> tcpdump on a span port for my uplinks and don't see traffic destin for
> the empty IP addresses so i'm not sure where the requests are coming
> from.  Network is clean of all other devices that could be conflicting
> IP.
> 
> Any suggestions?
> 
> Thanks folks.
> 
> - Brandon
> 
> ________________________________________________________________________
> _____________________________________________________
> FXCM, L.L.C.R assumes no responsibility for errors, inaccuracies or
> omissions in these materials. FXCM, L.L.C.R does not warrant the
> accuracy or completeness of the information, text, graphics, links or
> other items contained within these materials. FXCM, L.L.C.R shall not be
> liable for any special, indirect, incidental, or consequential damages,
> including without limitation losses, lost revenues, or lost profits that
> may result from these materials. All information contained in this
> e-mail is strictly confidential and is only intended for use by the
> recipient.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ******************************************************************************
> - NOTICE FROM DIMENSION DATA AUSTRALIA
> This message is confidential, and may contain proprietary or legally privileged information.  If you have received this email in error, please notify the sender and delete it immediately.
> 
> Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments.
> ******************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------

More information about the cisco-nsp mailing list