ARP "Who has (one address)" > "Tell (many different, random IP's)"

We're a "residential college" with over 2,700 college students with 
their own computers on our "ResNet."  We seem to be under attack from 
within.  My Senior Sys Admin looked on the firewall's tcpdump activity 
shows massive quantities of ARP traffic, which ask "Who has (one single 
internal IP address)" with a destination of "Tell (multiple, random 
internal IP addresses)." 

We're with the belief this is the activity of a slew of zombie computers 
on our network.

Has anyone ever seen such activity?
Can you tell us what the name of this trojan/worm/viruii is?
How can we detect this?

Thank you in advance,

Newbie

Les Yaw
Luther College
Decorah, IA




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click