Hi folks,
Regarding the network congestion due to the sassers worm, I've a question:

Sasser spreads by scanning for machines in its own network, rite? This causes ARP broadcast storms, especially for a large network [172.16.0.0/16 Net with just 700 used IPs.. yes, a network design fiasco.. ]. I tried using the 'Fake ARP Daemon' [farpd] from the phlak distribution, so that it would respond to ARP requests for free IPs on the network. The idea was to have one machine respond to all ARP requests for non-assigned IPs, thus preventing broadcast storms. HOWEVER, its not working. The ARP requests are still flooding the network. So did I get my logic wrong? .. And anyone here have any experience with farpd? I can't even tell if the program is actually doing what its supposed to.


Anyone know of any other method to prevent these broadcast storms?

Danke,

_Scim_

P.S: This thread is actually a reproduction of what I'd posted earlier here. Couldn't get a response there.. if anyone has issues with the repetition.. my apologies.