Sorry to hear that Richard. ARP Poisoning is some very nasty stuff, up to the point of faking certificates and spoofing passwords of so called secure services. Try arp watch in the meantime. http://sid.rstack.org/arp-sk/ That would only log changes in the ARP cache and arp announcement from your machine. There are devices you hook into the network which do the same. That only applies for 1 subnet though. Final solution is as you said port security via switches. To protect your firewall (e.g. pfSense/Monowall) there are some kernel (module) based solutions protecting from this kind of attacks. The firewall would prevent any change of ip/mac associations so at least your link from the machines to the net is "secured" Regards, Rocco
On 16/09/2011 5:13 PM, Richard Zulu wrote: > Hey, > > I am experiencing some kind of ARP poisoning causing a DOS on my network. > > I used wireshark to investigate the traffic on my network and > discovered a storm of arp broadcast traffic on my network. A tcpdump > too indicated the same thing. Sample tcpdump output is shown below: > > 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, > length 46 > 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: > ICMP6, neighbor solicitation, who has fe80::b699:baff:fec3:9370, length 32 > 16:10:12.270965 IP 192.168.2.131.netbios-dgm > > 192.168.2.255.netbios-dgm: NBT UDP PACKET(138) > 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > > Now, interesting, hardly had I disconnected from the network than > another machine assumed my ip address. When I checked the dhcp server, > that ip address had not yet been assigned to another machine on the > network. On reconnecting my laptop back to the network, the dhcp > server issued me with my original ip address, however, wireshark > indicated that their is a duplicate of my very ip address on the > network. The dhcp server still maintained my laptop is the only one > using the ip address. This is how I came to the conclusion I have an > issue with ARP. > > So..right now, I have the mac address of the other machine on the > network that is assuming to use my ip address and am hunting for it. > However, this doesn't seem to be the solution. > > I am also planning on implementing the port security feature on my > switches so that I have one mac address allowed per port. > > My question however is, is there any other way I can overcome this? > > > -- > Richard Zulu > gtug lead, Kampala (Uganda) > http://kampala.gtugs.org > --------------------------------------------------------- > http://www.linkedin.com/in/richardzulu > http://www.twitter.com/richardzulu > > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in any > way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
