You can find out at least which made of NIC your ARP poisoner has. http://www.coffer.com/mac_find/
Maybe you know who uses intel, broadcom, realtek, etc ... :-) Rocco On 16/09/2011 5:53 PM, Richard Zulu wrote: > Bernard and Rocco, > > Thanks for the responses, Let me look into your suggestions. > > Rocco, use of arpwatch has revealed the same as illustrated in my > previous email, the search for that mac address is still on :) > > arpwatch: flip flop 192.168.2.131 00:1d:09:48:fe:59 > (00:23:ae:8c:78:24) eth0 > arpwatch: flip flop 192.168.2.131 00:1d:09:48:fe:59 > (00:23:ae:8c:78:24) eth0 > arpwatch: flip flop 192.168.2.131 00:23:ae:8c:78:24 > (00:1d:09:48:fe:59) eth0 > > Thanks > > > > On Fri, Sep 16, 2011 at 5:26 PM, Bernard Wanyama > <[email protected] <mailto:[email protected]>> wrote: > > Hi Richard, > > This is most probably a virus. > Saw it at G-Uganda last week and saw it again today at a client's > place. > > Isolate the rogue DHCP server and eliminate. You can see which IP > is it by looking at the affected machine's DHCP lease info. > It also gives a rogue DNS server 188.x.x.x to the affected machines. > > Kind regards, > Bernard > > > On 16 September 2011 17:21, Rocco Radisch <[email protected] > <mailto:[email protected]>> wrote: > > Sorry to hear that Richard. > ARP Poisoning is some very nasty stuff, up to the point of > faking certificates and spoofing passwords of so called secure > services. > Try arp watch in the meantime. http://sid.rstack.org/arp-sk/ > That would only log changes in the ARP cache and arp > announcement from your machine. > There are devices you hook into the network which do the same. > That only applies for 1 subnet though. > Final solution is as you said port security via switches. > To protect your firewall (e.g. pfSense/Monowall) there are > some kernel (module) based solutions protecting from this kind > of attacks. The firewall would prevent any change of ip/mac > associations so at least your link from the machines to the > net is "secured" > Regards, > Rocco > > > > On 16/09/2011 5:13 PM, Richard Zulu wrote: >> Hey, >> >> I am experiencing some kind of ARP poisoning causing a DOS on >> my network. >> >> I used wireshark to investigate the traffic on my network and >> discovered a storm of arp broadcast traffic on my network. A >> tcpdump too indicated the same thing. Sample tcpdump output >> is shown below: >> >> 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell >> 192.168.2.131, length 46 >> 16:10:12.270915 ARP, Reply 192.168.2.1 is-at >> 00:e0:81:30:7b:6e (oui Unknown), length 28 >> 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell >> 192.168.2.4, length 46 >> 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell >> 192.168.2.131, length 46 >> 16:10:12.270932 ARP, Reply 192.168.2.1 is-at >> 00:e0:81:30:7b:6e (oui Unknown), length 28 >> 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > >> ff02::1:ffc3:9370: ICMP6, neighbor solicitation, who has >> fe80::b699:baff:fec3:9370, length 32 >> 16:10:12.270965 IP 192.168.2.131.netbios-dgm > >> 192.168.2.255.netbios-dgm: NBT UDP PACKET(138) >> 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell >> 192.168.2.131, length 46 >> 16:10:12.270979 ARP, Reply 192.168.2.1 is-at >> 00:e0:81:30:7b:6e (oui Unknown), length 28 >> 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell >> 192.168.2.131, length 46 >> >> Now, interesting, hardly had I disconnected from the network >> than another machine assumed my ip address. When I checked >> the dhcp server, that ip address had not yet been assigned to >> another machine on the network. On reconnecting my laptop >> back to the network, the dhcp server issued me with my >> original ip address, however, wireshark indicated that their >> is a duplicate of my very ip address on the network. The dhcp >> server still maintained my laptop is the only one using the >> ip address. This is how I came to the conclusion I have an >> issue with ARP. >> >> So..right now, I have the mac address of the other machine on >> the network that is assuming to use my ip address and am >> hunting for it. However, this doesn't seem to be the solution. >> >> I am also planning on implementing the port security feature >> on my switches so that I have one mac address allowed per port. >> >> My question however is, is there any other way I can overcome >> this? >> >> >> -- >> Richard Zulu >> gtug lead, Kampala (Uganda) >> http://kampala.gtugs.org >> --------------------------------------------------------- >> http://www.linkedin.com/in/richardzulu >> http://www.twitter.com/richardzulu >> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] <mailto:[email protected]> >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them >> (including attachments if any). The mailing list host is not responsible for >> them in any way. > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] <mailto:[email protected]> > Mailing list archives: > http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them > (including attachments if any). The mailing list host is not > responsible for them in any way. > > > > > -- > Bernard Wanyama > Technical Manager > SYNTECH ASSOCIATES Ltd > Cell: +256 712 193979 <tel:%2B256%20712%20193979> > Fixed: +256 414 251591 <tel:%2B256%20414%20251591> > Web: www.syntechug.com <http://www.syntechug.com> > Email: [email protected] <mailto:[email protected]> > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] <mailto:[email protected]> > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them > (including attachments if any). The mailing list host is not > responsible for them in any way. > > > > > -- > Richard Zulu > gtug lead, Kampala (Uganda) > http://kampala.gtugs.org > --------------------------------------------------------- > http://www.linkedin.com/in/richardzulu > http://www.twitter.com/richardzulu > > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in any > way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
