[Gllug] Someone is using the broadcast address!!

John Winters john at sinodun.org.uk
Fri Oct 12 12:44:18 UTC 2007


> Hi Rich
>
>   Thanks for the reply. Tried your suggestion. In fact, we just found out
> that the IP address is the network's broadcast address (netmask =
> 255.255.252.0).
>
>   Is there a way to stop or isolate the virus from making use of the
> broadcast mechanism?

Not really.

If small interruptions to network service are acceptable then you could do
a binary search to find the culprit.

Assuming that you know the topology of your network, find a point near the
middle and break the network at that point.  One side will now see the
problem and the other won't, so you've narrowed it down to half your
machines.

Repeat to further halve the number of suspect machines.

Once you narrow it down to one particular switch or hub (and a binary
search will get you here very quickly), then unplug the machines one by
one until you find the culprit.

HTH
John

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list