[SoCoSA/discuss] Problems with ARP Flood - Windows 2003
Mark Street
mark at oswizards.com
Sat Jan 26 11:28:32 PST 2008
Hi,
We are experiencing a problem with one of our Windows 2003 servers that is ARP
flooding (discovering) every 4 hours. The resulting ARP flood is disrupting
our SIP VOIP traffic and crashing our phones.
Some background. Last week on Tuesday night we changed the scope of our
network. We expanded a 192.168.100.0 to a 192.168.0.0 We reconfigured DHCP
and DNS to the new range and Netmask and we set all statically assigned
addresses to their new netmask.
The particular offending Windows 2K3 machine is the Domain Controller, DNS and
DHCP server for the Windows Network running AD, we also have a Backup DC that
also runs DNS.
Every 4 hours 24x7, at 3,7,11 this particular machine luanches an ARP flood
searching the expanded address space for more machines. The resulting flood
hammers everything else.
It took a few times for me to see the pattern. I have run wireshark on the
network during one of these episodes and it lasts for over 20 minutes. I am
watching one right now that had been going for over 25 minutes.
We double checked our DHCP settings and our DNS and everything seems to be
configured properly.
Any ideas as to why we keep getting this?
By the way I have already installed two new Win2K3R2 boxes, one has been
configured as the new DHCP server with DNS - we just have to flip the switch.
I have no problem moving these services off of the offending machine if it
keeps up this behavior but I would like to understand why we are getting the
ARP flood.
Wireshark capture file available upon request...... ; )
--
Mark Street, D.C., RHCE
CTO Alliance Medical Center
http://www.oswizards.com
http://www.alliancemed.org
--
"First they ignore you, then they ridicule you, then they fight you, then you
win" - Gandhi
"If you want truly to understand something, try to change it" - Kurt Lewin
--
Key fingerprint = 3949 39E4 6317 7C3C 023E 2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc
More information about the discuss
mailing list