I got arp storm in my network(30 PCs and some WLAN devices), about 10,000 arp requests per second, no responses,lasting for severalminutes,all these arp requests have the same content which looks very strange:
SRC DST info 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188
Is 00:60:e0:01:7d:96 or is 00:60:f0:01:7d:96 192.168.1.188 (LAN-IP)? Have both the same IP?
00:60:e0:01:7d:96 is 192.168.1.188 There is no NIC whose MAC address is 00:60:f0:01:7d:96
Looks like duplicated IP(00:60:e0:01:7d:96 looks at 00:60:f0:01:7d:96 if it has 192.168.1.188 as seen in the packet capture). Is there a DHCP in your LAN and is it on one of both above mentioned NIC's? Normal ARP requests go from DHCP to client xy. Have a realtime snapshot with iptraf or etherreal.
A DHCP is at 192.168.1.1, whose MAC address is 00:50:04:bd:0d:70, 192.168.1.188 is not a DHCP client, it's a static IP.
it's an arp request but the DST is not a broadcast, and the DST is a real MAC address of one of my netcards while the SRC is a fake one. This happens several times a day but not regularly. Who will send millions of this kind of arp requests?
Later I captured these packets and replayed this storm at 10000packets/s, no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse) I filled in these packets ,they will jam up the Linux box whose MAC address is the same as the SOURCE (not the destination) MAC address of these packets. When I change the packets'source MAC address with the destination MAC address,the Linux box works well.I don't know the reason.
Is this 00:60:e0:01:7d:96 ?
Yes. Jiade