RARP attack?

[pashdown () xmission com (Pete Ashdown)]

We just had a rather specialized attack that I thought I would mention to the
list.

Our network connects in via ether to our provider whom which we share the same
building with.  The provider also colocates several servers (web servers and
such) that probably have rather minimal security if any.

It looks as if someone broke into one of these other machines, then started
sending out bogus RARP packets.  I had been experiencing a weird packet loss
that I couldn't track down for the past few weeks, but today and yesterday
several of our Suns were not reachable at all from the provider's Cisco.

After a bit of noodling around, I cleared the ARP cache on their Cisco and
things came back fine.  Replacing the cached entries for the boxes on our
network with statics solidified the situation.

The only question I have for the list is why someone would do this?  They hit
some of our Suns, but not all of them, and none of our routers or terminal
servers were affected.  I believe it wasn't a spoofing attack since the MAC
addresses were bogus and didn't resolve to anything.  All I can think is that
someone just wanted to bring us down, and nothing else.