We are experiencing an issue on our KVM nodes where one VM (we suspect) is malicious and initiating an ARP storm attack, causing ALL nodes on that same vlan to be overloaded and causing heavy packet loss to all IPs on that VLAN. The problem is we don't know which VM is causing this, as we have 25+ nodes in that VLAN and each node has 100+ VMs.
All of our nodes run on SolusVM / KVM. Looking to hire an expert who has handled situations like this before to help identify the abuser and implement arp rules to prevent this from happening again. We already tried enabling ARP & IP Spoofing protection in SolusVM, which helped for a few days until the issue happened again.