[SoCoSA/discuss] Problems with ARP Flood - Windows 2003
Mark Street
mark at oswizards.com
Sat Jan 26 12:15:26 PST 2008
Hi,
Please disregard, I think I found it. The ARP flood was real but something
that is also real that runs on the offending machine is frickin Panda
Antivirus Server.... which happened to be set to search the network for
potential victims to infest....every 4 hours... starting at 11AM..... I
reconfigured it.... : |
I really appreciate Linux......
On Saturday January 26 2008, Mark Street wrote:
> We are experiencing a problem with one of our Windows 2003 servers that is
> ARP flooding (discovering) every 4 hours. The resulting ARP flood is
> disrupting our SIP VOIP traffic and crashing our phones.
>
> Some background. Last week on Tuesday night we changed the scope of our
> network. We expanded a 192.168.100.0 to a 192.168.0.0 We reconfigured
> DHCP and DNS to the new range and Netmask and we set all statically
> assigned addresses to their new netmask.
>
> The particular offending Windows 2K3 machine is the Domain Controller, DNS
> and DHCP server for the Windows Network running AD, we also have a Backup
> DC that also runs DNS.
>
> Every 4 hours 24x7, at 3,7,11 this particular machine luanches an ARP flood
> searching the expanded address space for more machines. The resulting
> flood hammers everything else.
>
> It took a few times for me to see the pattern. I have run wireshark on the
> network during one of these episodes and it lasts for over 20 minutes. I
> am watching one right now that had been going for over 25 minutes.
>
> We double checked our DHCP settings and our DNS and everything seems to be
> configured properly.
>
> Any ideas as to why we keep getting this?
>
> By the way I have already installed two new Win2K3R2 boxes, one has been
> configured as the new DHCP server with DNS - we just have to flip the
> switch. I have no problem moving these services off of the offending
> machine if it keeps up this behavior but I would like to understand why we
> are getting the ARP flood.
>
> Wireshark capture file available upon request...... ; )
--
Mark Street, D.C., RHCE
CTO Alliance Medical Center
http://www.oswizards.com
http://www.alliancemed.org
--
"First they ignore you, then they ridicule you, then they fight you, then you
win" - Gandhi
"If you want truly to understand something, try to change it" - Kurt Lewin
--
Key fingerprint = 3949 39E4 6317 7C3C 023E 2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc
More information about the discuss
mailing list