[SoCoSA/discuss] Problems with ARP Flood - Windows 2003

[Mark Street]

Hi,

We are experiencing a problem with one of our Windows 2003 servers that is ARP 
flooding (discovering) every 4 hours.  The resulting ARP flood is disrupting 
our SIP VOIP traffic and crashing our phones.

Some background.  Last week on Tuesday night we changed the scope of our 
network.  We expanded a 192.168.100.0 to a 192.168.0.0  We reconfigured DHCP 
and DNS to the new range and Netmask and we set all statically assigned 
addresses to their new netmask.

The particular offending Windows 2K3 machine is the Domain Controller, DNS and 
DHCP server for the Windows Network running AD, we also have a Backup DC that 
also runs DNS.

Every 4 hours 24x7, at 3,7,11 this particular machine luanches an ARP flood 
searching the expanded address space for more machines.  The resulting flood 
hammers everything else.

It took a few times for me to see the pattern.  I have run wireshark on the 
network during one of these episodes and it lasts for over 20 minutes.  I am 
watching one right now that had been going for over 25 minutes.

We double checked our DHCP settings and our DNS and everything seems to be 
configured properly.

Any ideas as to why we keep getting this?

By the way I have already installed two new Win2K3R2 boxes, one has been 
configured as the new DHCP server with DNS - we just have to flip the switch.  
I have no problem moving these services off of the offending machine if it 
keeps up this behavior but I would like to understand why we are getting the 
ARP flood.

Wireshark capture file available upon request...... ; )

-- 
Mark Street, D.C., RHCE
CTO Alliance Medical Center
http://www.oswizards.com
http://www.alliancemed.org
--
"First they ignore you, then they ridicule you, then they fight you, then you 
win" - Gandhi
"If you want truly to understand something, try to change it" - Kurt Lewin
--
Key fingerprint = 3949 39E4 6317 7C3C 023E  2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc