Excessive ARP traffic on my network.

[Johnny Sandaire]

Greetings,

Although I have the Windows 2003 Firewall running and I am only
allowing a few Ports to remain open, I am seeing a lot of ARP traffic
on my network. Mostly, they are all coming from on port 2054, which
is not one of the Ports that I allowed in the Firewall setting.

How do I minimize this traffic?
Is there a way to block this Port on my windows 2003 PC?
Why is all the IPs from my network showing-up as being accessed from a
Network Monitor query?

I am using Windows 2003, no HP Software running. I have HTTP, FTP and
SMTP running.


Any assistance with this issue would be greatly appreciated.

Thanks,

Johnny

 

[David Robbins]

Greetings,

Although I have the Windows 2003 Firewall running and I am only
allowing a few Ports to remain open, I am seeing a lot of ARP traffic
on my network. Mostly, they are all coming from on port 2054, which
is not one of the Ports that I allowed in the Firewall setting.

How do I minimize this traffic?
Is there a way to block this Port on my windows 2003 PC?
Why is all the IPs from my network showing-up as being accessed from a
Network Monitor query?

I am using Windows 2003, no HP Software running. I have HTTP, FTP and
SMTP running.


Any assistance with this issue would be greatly appreciated.

Thanks,

Johnny

sounds like msblaster or welchia worms or a similar infection scanning your
network. block it all at the firewall if its coming from outside. if i
remember correctly, arp requests are not bound to a port, block them by
blocking the protocol not the port.

 

[Alan Wood [MSFT]]

Hi Johnny,
I'll try to answer most of your questions here.

1. As in the second post by David.. ARP does not have a port
association, it is not a TCP or UDP request it is an ARP request. So no
port number. Also, you can't block ARP as David suggested. You see if you
block arp request response, well, then your not going to get past your
Gateway, as your Gateway Router has to know your MAC address, and it learns
your MAC address through the ARP request response and vice versa from your
server to the Router. So Don't block ARP or you might as well just unplug
the server from accessing the internet.

2. Port 2054.. TCP or UDP... The only program I know off the top of my
head that uses this port is in UDP port 2054, this is used for remote
control of NLB(Network Load Balancing) if you are not load balancing 2
servers on the internet or intranet, I would suggest disabling this on the
Local Area Connection. This would also explain some of the other traffic
you are seeing as NLB is broadcasting a HeartBeat packet for other NLB
servers in the cluster, of course it's not doing anything if you don't have
other members.

3. > Why is all the IPs from my network showing-up as being accessed from a

Network Monitor query?

Could you be more specific? I'm not sure I understand that question.


Hope that Helps!


Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Johnny Sandaire]

David,


Currently, this is the listing of protocol that I see showing-up on a
network monitor query:

--------------- Start Data
-------------------------------------------

protocol name|protocol port|description|packets|bytes|first seen|last
seen
ether.ARP|1.2054|ARP|34604|2076240|Fri 19:05:02|Fri 19:17:06
ether.IP.UDP.bootpc|1.2048.17.68|Bootstrap Protocol Client|4|1425|Fri
19:05:09|Fri 19:08:41
ether.IP.ICMP|1.2048.1|Internet Control Message
[RFC792]|48|5088|Fri 19:05:08|Fri 19:16:54
ether.IP.UDP.unknown|1.2048.17.-1|Unknown|2|331|Fri 19:06:04|Fri
19:06:04
ether.IP.UDP.ms-sql-m|1.2048.17.1434|Microsoft-SQL-Monitor|1|43|Fri
19:06:04|Fri 19:06:04
ether.34824|1.34824|Ethernet port 34824|38|2280|Fri 19:06:33|Fri
19:07:22
ether.IP.TCP.smtp|1.2048.6.25|Simple Mail Transfer|40|7171|Fri
19:13:05|Fri 19:17:06
----- End Data -----------------------------------------------------

The ARP's Bytes value stedily increases over time. I would like to
follow your advice to block the ARP traffic,

block them by blocking the protocol not the port.

How do I proceed with your suggestions?

I see the IP Ptotocols under the TCP/IP Filtering under the Network
settings, how do I block this protocol? It is looking for a number,
what should I allow that ould block all other requests?

Thank you..

Johnny

 

[Johnny Sandaire]

Alan,,

Here is an example of the data that I captured from a Network
Monitoring scan:

---------------- Start Data ---------------------
host name|address|packets in|bytes in|packets out|bytes
out|mcast/bcast|first seen|last seen
bgp434773bgs.union01.nj.comcast.net|68.36.232.33|23|1380|0|0|0|Fri
19:05:07|Fri 19:06:44
bgp435494bgs.union01.nj.comcast.net|68.36.234.242|16|960|0|0|0|Fri
19:05:04|Fri 19:06:57
bgp435072bgs.union01.nj.comcast.net|68.36.233.76|13|780|0|0|0|Fri
19:05:06|Fri 19:06:54
Broadcast|255.255.255.255|3|769|0|0|0|Fri 19:05:09|Fri 19:06:04
bgp434889bgs.union01.nj.comcast.net|68.36.232.149|12|720|0|0|0|Fri
19:05:02|Fri 19:06:49
bgp435840bgs.union01.nj.comcast.net|68.36.236.76|11|660|0|0|0|Fri
19:05:09|Fri 19:06:55
bgp435350bgs.union01.nj.comcast.net|68.36.234.98|11|660|0|0|0|Fri
19:05:03|Fri 19:06:57
bgp434927bgs.union01.nj.comcast.net|68.36.232.187|11|660|0|0|0|Fri
19:05:05|Fri 19:06:49
bgp436016bgs.union01.nj.comcast.net|68.36.236.252|11|660|0|0|0|Fri
19:05:15|Fri 19:06:58
---------------- End Data -----------------------


All together, there are currently 1030 records taht is listed on the
monitor data.

How do I proceed to block this IP Protocol and stop this heavy
traffic?

Thanks,

Johnny

Hi Johnny,
I'll try to answer most of your questions here.

1. As in the second post by David.. ARP does not have a port
association, it is not a TCP or UDP request it is an ARP request. So no
port number. Also, you can't block ARP as David suggested. You see if you
block arp request response, well, then your not going to get past your
Gateway, as your Gateway Router has to know your MAC address, and it learns
your MAC address through the ARP request response and vice versa from your
server to the Router. So Don't block ARP or you might as well just unplug
the server from accessing the internet.

2. Port 2054.. TCP or UDP... The only program I know off the top of my
head that uses this port is in UDP port 2054, this is used for remote
control of NLB(Network Load Balancing) if you are not load balancing 2
servers on the internet or intranet, I would suggest disabling this on the
Local Area Connection. This would also explain some of the other traffic
you are seeing as NLB is broadcasting a HeartBeat packet for other NLB
servers in the cluster, of course it's not doing anything if you don't have
other members.

3. > Why is all the IPs from my network showing-up as being accessed from a

Network Monitor query?

Could you be more specific? I'm not sure I understand that question.


Hope that Helps!


Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Robbins]

i think we need more information. you said you were seeing lots of arp
traffic 'on your network'. what exactly is 'your network'. from the list
below it appears you are seeing general traffic on the Union NJ comcast
network which i believe is normal. cable networks like that are essentially
big party lines so you see traffic for lots of other machines in your area.
so what do you consider 'your network'? are you working for comcast?? do
you have your own business that has your own lan that is fed from comcast?
what is between you and your comcast cable modem? what kind of router?
what kind of firewall? or is your win2003 server just plugged into the
cable modem directly and thats it??

Alan,,

Here is an example of the data that I captured from a Network
Monitoring scan:

---------------- Start Data ---------------------
host name|address|packets in|bytes in|packets out|bytes
out|mcast/bcast|first seen|last seen
bgp434773bgs.union01.nj.comcast.net|68.36.232.33|23|1380|0|0|0|Fri
19:05:07|Fri 19:06:44
bgp435494bgs.union01.nj.comcast.net|68.36.234.242|16|960|0|0|0|Fri
19:05:04|Fri 19:06:57
bgp435072bgs.union01.nj.comcast.net|68.36.233.76|13|780|0|0|0|Fri
19:05:06|Fri 19:06:54
Broadcast|255.255.255.255|3|769|0|0|0|Fri 19:05:09|Fri 19:06:04
bgp434889bgs.union01.nj.comcast.net|68.36.232.149|12|720|0|0|0|Fri
19:05:02|Fri 19:06:49
bgp435840bgs.union01.nj.comcast.net|68.36.236.76|11|660|0|0|0|Fri
19:05:09|Fri 19:06:55
bgp435350bgs.union01.nj.comcast.net|68.36.234.98|11|660|0|0|0|Fri
19:05:03|Fri 19:06:57
bgp434927bgs.union01.nj.comcast.net|68.36.232.187|11|660|0|0|0|Fri
19:05:05|Fri 19:06:49
bgp436016bgs.union01.nj.comcast.net|68.36.236.252|11|660|0|0|0|Fri
19:05:15|Fri 19:06:58
---------------- End Data -----------------------


All together, there are currently 1030 records taht is listed on the
monitor data.

How do I proceed to block this IP Protocol and stop this heavy
traffic?

Thanks,

Johnny


AlanWood@NoSpam ("Alan Wood" [MSFT]) wrote in message

Hi Johnny,
I'll try to answer most of your questions here.

1. As in the second post by David.. ARP does not have a port
association, it is not a TCP or UDP request it is an ARP request. So no
port number. Also, you can't block ARP as David suggested. You see if you
block arp request response, well, then your not going to get past your
Gateway, as your Gateway Router has to know your MAC address, and it learns
your MAC address through the ARP request response and vice versa from your
server to the Router. So Don't block ARP or you might as well just unplug
the server from accessing the internet.

2. Port 2054.. TCP or UDP... The only program I know off the top of my
head that uses this port is in UDP port 2054, this is used for remote
control of NLB(Network Load Balancing) if you are not load balancing 2
servers on the internet or intranet, I would suggest disabling this on the
Local Area Connection. This would also explain some of the other traffic
you are seeing as NLB is broadcasting a HeartBeat packet for other NLB
servers in the cluster, of course it's not doing anything if you don't have
other members.

3. > Why is all the IPs from my network showing-up as being accessed from a

Network Monitor query?

Could you be more specific? I'm not sure I understand that question.


Hope that Helps!


Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no

rights.

 

[Johnny Sandaire]

You've got it David. My Windows 2003 Server is plugged into the Modem
and that is it.

Thanks,

i think we need more information. you said you were seeing lots of arp
traffic 'on your network'. what exactly is 'your network'. from the list
below it appears you are seeing general traffic on the Union NJ comcast
network which i believe is normal. cable networks like that are essentially
big party lines so you see traffic for lots of other machines in your area.
so what do you consider 'your network'? are you working for comcast?? do
you have your own business that has your own lan that is fed from comcast?
what is between you and your comcast cable modem? what kind of router?
what kind of firewall? or is your win2003 server just plugged into the
cable modem directly and thats it??

Alan,,

Here is an example of the data that I captured from a Network
Monitoring scan:

---------------- Start Data ---------------------
host name|address|packets in|bytes in|packets out|bytes
out|mcast/bcast|first seen|last seen
bgp434773bgs.union01.nj.comcast.net|68.36.232.33|23|1380|0|0|0|Fri
19:05:07|Fri 19:06:44
bgp435494bgs.union01.nj.comcast.net|68.36.234.242|16|960|0|0|0|Fri
19:05:04|Fri 19:06:57
bgp435072bgs.union01.nj.comcast.net|68.36.233.76|13|780|0|0|0|Fri
19:05:06|Fri 19:06:54
Broadcast|255.255.255.255|3|769|0|0|0|Fri 19:05:09|Fri 19:06:04
bgp434889bgs.union01.nj.comcast.net|68.36.232.149|12|720|0|0|0|Fri
19:05:02|Fri 19:06:49
bgp435840bgs.union01.nj.comcast.net|68.36.236.76|11|660|0|0|0|Fri
19:05:09|Fri 19:06:55
bgp435350bgs.union01.nj.comcast.net|68.36.234.98|11|660|0|0|0|Fri
19:05:03|Fri 19:06:57
bgp434927bgs.union01.nj.comcast.net|68.36.232.187|11|660|0|0|0|Fri
19:05:05|Fri 19:06:49
bgp436016bgs.union01.nj.comcast.net|68.36.236.252|11|660|0|0|0|Fri
19:05:15|Fri 19:06:58
---------------- End Data -----------------------


All together, there are currently 1030 records taht is listed on the
monitor data.

How do I proceed to block this IP Protocol and stop this heavy
traffic?

Thanks,

Johnny


AlanWood@NoSpam ("Alan Wood" [MSFT]) wrote in message

Hi Johnny,
I'll try to answer most of your questions here.

1. As in the second post by David.. ARP does not have a port
association, it is not a TCP or UDP request it is an ARP request. So no
port number. Also, you can't block ARP as David suggested. You see if you
block arp request response, well, then your not going to get past your
Gateway, as your Gateway Router has to know your MAC address, and it learns
your MAC address through the ARP request response and vice versa from your
server to the Router. So Don't block ARP or you might as well just unplug
the server from accessing the internet.

2. Port 2054.. TCP or UDP... The only program I know off the top of my
head that uses this port is in UDP port 2054, this is used for remote
control of NLB(Network Load Balancing) if you are not load balancing 2
servers on the internet or intranet, I would suggest disabling this on the
Local Area Connection. This would also explain some of the other traffic
you are seeing as NLB is broadcasting a HeartBeat packet for other NLB
servers in the cluster, of course it's not doing anything if you don't have
other members.

3. > Why is all the IPs from my network showing-up as being accessed from a
Network Monitor query?
Could you be more specific? I'm not sure I understand that question.


Hope that Helps!


Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no

rights.