Re: DHCP Flood on inside network. STP the problem?

["Eddie " <EddieS () softhome net>]

Let me say thanks to all those that have replied both on and off the list.  All your suggestions are very helpful. 

I was able to figure out what was going on when I noticed that instead of a DHCP packet like I was seeing before, 
tcpdump captured a netbios browser packet from 
one of the computers, flooding the network. It looks like it is a Spanning Tree breaking down and playing hot potato. 
It's the same random packet swamping the 
network just like when you loop two switches togather without STP turned on. Seems to like broadcast packets tho.
 
Nothing has changed in the switches in 3 months, so a switch could be one failing, a computer sending out weird packet 
screwing up STP, or a virus doing the 
same. 
I removed all the redundant links and that seems to have fixed or slowed down the problem,  I still see "<WARN:EDP> 
Checksum failed for pdu on port 18" errors 
and I see one report of a lost connection in Big Sister, so I am not sure. 

I am turning off STP for now. This weekend I will mess around with it since nobody will be in. Maybe with a little 
unplugging and general troubleshooting will show 
what it going on. I don't know much about STP. 

I can't find any virus that messes with STP and I don't think any of the servers got rooted since no servers can be 
access from the outside and the firewall is closed 
tight both in and out. 

I think one of the Summit switches going out is the problem. Tracking down what one out of the 3 is going to be fun 
since I can cause the problem to happen. 

Thank you again. 
-Eddie




On Mon, 11 Oct 2004 22:00:07 -0700, Eddie  wrote:

> I don't have much information on this yet, I am driving down to the office now to pull an all nighter. I figured I 
> would toss this out to the list and see if anyone has any 
> idea.  This is just info from what I can get from talking to people and what little time I can get on the network 
> before it goes down. 
>
> Starting 2 days ago, I discovered the PIX 515 was locked hard.  It seems to be random, but around every 15-30 minutes 
> something floods the network hard for a 
few 
> minutes. Broadcast flood too. This is a small network with 30 workstations and 5 servers (Linux and SCO, no Wins). It 
> overloads the Extreme switches and I see 
pdu (or 
> something like that, not udp tho) errors on about every port. 
> The Pix 515  overloads and is having issues, but I did see it say something about ARP problems when I could get to the 
> syslog for more info. I looked up the error 
> number and it said it could be ARP poisoning. Not sure what would do that. 
>
> In the syslog of the DHCP server, I see thousands of DHCP DISCOVER request(and the REPLAY request from the server, a 
> Linux box).  It looks like one client on 
the 
> network (I have seen this both from XP and Win98) will send 100+  DISCOVER request a second swamping the network. Not 
> always DISCOVER too. 
> That will go on for a few minutes, then all is well. Then another computer will do the same thing. 
>
> This is quickly overloading things and I am getting IRQ busy and overload errors on some of the servers. 
>
> What should I look for. I have never seen something like this before. 
>
> Thanks
> -Eddie
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html