W2K DC sending excessive arp replies

[jbyrne]

Hello everyone, I have a little problem at work that I was wondering if anyone could possibly shed any light on...

We have 4 DCs at our main office (2 are DNS and DHCP Servers) and the other two are just DCs (although all 4 of them do have FSMO roles assigned to them.

We have been having some problems recently where our main switch is getting overloaded by what appears to be some DOS attack. We have some software that can sniff all of the packets on our network and we were able to get a snapshot of what was happening to make the switch 'crash' - Basically, 2 of the DCs (1 of which is a DNS&DHCP server but the other is not) seem to be continously sending arp replies to 1 PC in the office. It is always the same two DCs sending ARP replies to the same PC, although we cannot see any traffic generated by the PC asking for an arp address.

I have done various searches on google etc but cannot find anything that seems to fit into this category so any help or suggestions will be greatly appreciated

Thanks in advance

 

[grimmy26]

Theft-of-service and denial-of-service (DNS) attacks often generate a large number of ARP packets on the network. Many viruses also use ARP requests to discover computers that might be vulnerable to attack, and if these computers become infected, they are used to propagate the virus, generating even more ARP traffic on the network.

Have you checked for virus's?

MCSE NT4, 2000, 2003

 

[jbyrne]

Thanks for coming back to us grimmy26

Both the DCs in question and the PC that they are continously sending ARP replies to have been fully scanned for viruses - they all use Sophos and are up to date ide file wise

I have also scanned them all for malware using Microsoft Anti-Spyware, Spybot S&D and Lavasoft Adaware - they were all basically clean (they had one or two items on but nothing, according to their descriptions, that pointed to this)