Broadcast Storm LLMNR
I have a Windows Server 2008 box that on Wednesday starting firing out LLMNR packets on port 5355. At it's peak it was firing 29,000 a second. Which crippled our network and some of the sourounding schools lost the internet.
I have disable IPv6 on the NIC and have used group policy and a registry hack to disable LLMNR traffic but I still have the storm occuring.
NOD 32 show nothing and Search and Destroy comes back clean.
I don't want to rebuild this server as it it one of our application servers. I could use a backup but I'm afraid that without knowing the cause or cure it might occur again.
I've already tried both of those but to no avail. It now looks like with the exception of my Exchange server all of my Win 2008 and Vista machines broadcast on the network immediatley.
My next step will be to 'pull' buildings off the network to see if a machine in an adjacent building is telling these machines to broadcast. SpyBot S&D and NOD32 both come back negative.
Any other ideas?