Hi Richard,
On 16 September 2011 17:13, Richard Zulu <[email protected]> wrote: > Hey, > > I am experiencing some kind of ARP poisoning causing a DOS on my network. > > I used wireshark to investigate the traffic on my network and discovered a > storm of arp broadcast traffic on my network. A tcpdump too indicated the > same thing. Sample tcpdump output is shown below: > > 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length > 46 > 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, length > 46 > 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length > 46 > 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > This looks similar to a problem I had a while back. There is a virus that has its own DHCP server and after learning your network topology, assumes the role of a DHCP server and to some extent tries to take over domain controller roles. Sorry I do not remember the name of this virus. I may need to go through a few reports to get to it. > > Now, interesting, hardly had I disconnected from the network than another > machine assumed my ip address. When I checked the dhcp server, that ip > address had not yet been assigned to another machine on the network. On > reconnecting my laptop back to the network, the dhcp server issued me with > my original ip address, however, wireshark indicated that their is a > duplicate of my very ip address on the network. The dhcp server still > maintained my laptop is the only one using the ip address. This is how I > came to the conclusion I have an issue with ARP. > > So..right now, I have the mac address of the other machine on the network > that is assuming to use my ip address and am hunting for it. However, this > doesn't seem to be the solution. > > I am also planning on implementing the port security feature on my switches > so that I have one mac address allowed per port. > > My question however is, is there any other way I can overcome this? > > I found it by turning off my DC/DHCP/AD servers and watching/listening on the network for who was acting as the DHCP/DC/AD server (wireshark, NMAP, NTOP will all work for you). I used Wireshark and Ettercap to capture the traffic on the network for specific ports and used NMAP and NTOP to find out the system that was doing this. PS: Thanks to Kaspersky firewall for throwing me many alerts and warnings. -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
