Back to All Scenarios
PASSEDnetwork / arp_storm
ARP Storm from IP Conflict
Two devices on the same VLAN have been assigned the same IP address. Both are sending gratuitous ARPs, creating an ARP storm that degrades network performance for the entire subnet.
Pattern
ARP_STORM
Severity
CRITICAL
Confidence
88%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | ARP_STORM | ARP_STORM | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 23 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
VLAN 30 with 150 devices. Static IP assignment conflict (10.10.30.100 on two devices). No Dynamic ARP Inspection. No DHCP snooping.
Injected Error Messages (2)
excessive arp requests on VLAN 30 — arp storm detected, gratuitous ARP flood from multiple MACs claiming 10.10.30.100, arp rate limit triggered
arp cache overflow on VLAN 30, IP conflict detected for 10.10.30.100, arp storm degrading subnet performance
Neural Engine Root Cause Analysis
Multiple devices on VLAN-30 are simultaneously claiming ownership of IP address 10.10.30.100 through gratuitous ARP requests, creating an ARP storm. This indicates either duplicate IP assignments, a malfunctioning network device sending continuous gratuitous ARPs, or potentially malicious activity. The core router's ARP rate limiting has been triggered as a protective mechanism, but this is causing the interface to appear down and disrupting normal network operations.
Remediation Plan
1. Immediately identify all MAC addresses claiming IP 10.10.30.100 from network logs and ARP tables. 2. Locate physical devices associated with these MAC addresses using network management tools. 3. Temporarily block the offending MAC addresses at the switch level to stop the ARP storm. 4. Investigate each device for IP configuration errors, malware, or hardware failures. 5. Reconfigure devices with proper IP assignments and verify no duplicates exist. 6. Reset ARP rate limiting on the core router and monitor for storm recurrence. 7. Implement enhanced ARP storm detection and automatic MAC blocking policies.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjcpgh00bmobqe4iwy6z8q