We are getting a lot of ARP scans on the network particularly from servers sending ARP requests. The signs are similar to http://www.colasoft.com/capsa/troubleshoot_arp_attacks.php?id=demo.

However the problem is that these are servers that are doing the ARPing. How do we determine that this is really a problem and if so, what steps does one take to fix it.

Other readings I have found state to cut the machine from the LAN, however, cannot easily do that with domain controllers.

How does one identify from that actual server that there is a problem?

Hi sk309,

Can you tell me more about the server? And packet files of your attack is appreciated.

It is various servers that are doing it. e.g. under diagnosis, the scan has been running for 22 minutes and there are 460 ARP scans. One of the servers is the Domain Controller and attached are the packet traces. There is also a weird IP address: 192.168.30.32 that does scans. When the MAC is tracked down, it ends up being one of the Windows 2003 servers. However, we have not bound that IP.

The ARP ratio is at this time 1.3MB in requests to 14K in responses in a 25 minute time.

Note: The attached files are Capsa captures. The ext. has been changed to txt. so that I could upload them.

-{ Quote: "Hi sk309,

Can you tell me more about the server? And packet files of your attack is appreciated." }-