Hey, I am experiencing some kind of ARP poisoning causing a DOS on my network.
I used wireshark to investigate the traffic on my network and discovered a storm of arp broadcast traffic on my network. A tcpdump too indicated the same thing. Sample tcpdump output is shown below: 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, length 46 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: ICMP6, neighbor solicitation, who has fe80::b699:baff:fec3:9370, length 32 16:10:12.270965 IP 192.168.2.131.netbios-dgm > 192.168.2.255.netbios-dgm: NBT UDP PACKET(138) 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 Now, interesting, hardly had I disconnected from the network than another machine assumed my ip address. When I checked the dhcp server, that ip address had not yet been assigned to another machine on the network. On reconnecting my laptop back to the network, the dhcp server issued me with my original ip address, however, wireshark indicated that their is a duplicate of my very ip address on the network. The dhcp server still maintained my laptop is the only one using the ip address. This is how I came to the conclusion I have an issue with ARP. So..right now, I have the mac address of the other machine on the network that is assuming to use my ip address and am hunting for it. However, this doesn't seem to be the solution. I am also planning on implementing the port security feature on my switches so that I have one mac address allowed per port. My question however is, is there any other way I can overcome this? -- Richard Zulu gtug lead, Kampala (Uganda) http://kampala.gtugs.org <http://kampala.gtugs.org> --------------------------------------------------------- http://www.linkedin.com/in/richardzulu http://www.twitter.com/richardzulu
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
