[PEN-TEST] Bizzare Network Errors Found During Pen Test (IP ARP Throttled)

[Mike Ahern <mc_ahern () YAHOO COM>]

I have recently experienced a wierd situation when
attempting to port scan and pen test a remote
international location of a large corporation.

I can port scan the remote router ok. I can telnet
into the remote router ok. I can telnet to remote
devices ok from the remote router. I can telnet from
the remote devices back thru the network to my hosts.
The arp cache of the far end router shows the MAC
addresses of the remote devices, so there doesn't
appear to be anything in between.

However when I port scan the remote devices the remote
router scans ok, but all other devices actually end up
on the scan either not responding or are showing that
my packets are hitting the firewall at the end of the
default route for our network (this includes hosts
that exist, that have routes, are online and able to
communicate otherwise). The only exception in addition
to the remote router are two HP Jet Direct print
servers, which I can scan and telnet to from here.

I cannot directly ping or telnet hosts on the remote
network other than the remote router and these HP Jet
Direct print servers from where I am. I can hit every
remote host from the remote router however. Routing is
ok within the network, looking at the routing tables,
and the remote cisco router has a minimal config with
eigrp progagated route tables.

The CRUX of the ISSUE:
I am getting the following error on the remote Cisco
router, with the router having TCP debug enabled for
each host exhibiting this problem:
"IP ARP throttled out the ARP Request for
10.xxx.xxx.2"

The only thing I can find on the net are a few deja
news/google searchable posts for people with Token
Ring to Ethernet tranlational bridging problems.

The remote site does have both Ethernet and Token
Ring, and does have multiple routers, switches, source
route bridges, multihomed hosts, etc..

Anyone ever seen anything like this? It is pretty
bizarre, and I have spent a good amount of time
testing the routes, possible proxy issues (there are
none), etc..

My guess is that it is either a setup problem in the
remote Cisco related to translational bridging perhaps
(even tho we are routing), or perhaps something on the
far end network misconfigured or doing a poor job of
translational bridging. That is just a guess, and I
would be pleased to stand corrected by anyone who has
seen this before and can explain it to me.


So my questions...

What does "IP ARP Throttled" mean? When does it happen
and what causes it? Is there something I can do to
either mitigate this problem, or identify what is
generating this error?

Many Thanks in advance for any help!


- mike








__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/