Hi Richard, This is most probably a virus. Saw it at G-Uganda last week and saw it again today at a client's place.
Isolate the rogue DHCP server and eliminate. You can see which IP is it by looking at the affected machine's DHCP lease info. It also gives a rogue DNS server 188.x.x.x to the affected machines. Kind regards, Bernard On 16 September 2011 17:21, Rocco Radisch <[email protected]> wrote: > Sorry to hear that Richard. > ARP Poisoning is some very nasty stuff, up to the point of faking > certificates and spoofing passwords of so called secure services. > Try arp watch in the meantime. http://sid.rstack.org/arp-sk/ > That would only log changes in the ARP cache and arp announcement from your > machine. > There are devices you hook into the network which do the same. That only > applies for 1 subnet though. > Final solution is as you said port security via switches. > To protect your firewall (e.g. pfSense/Monowall) there are some kernel > (module) based solutions protecting from this kind of attacks. The firewall > would prevent any change of ip/mac associations so at least your link from > the machines to the net is "secured" > Regards, > Rocco > > > > On 16/09/2011 5:13 PM, Richard Zulu wrote: > > Hey, > > I am experiencing some kind of ARP poisoning causing a DOS on my network. > > I used wireshark to investigate the traffic on my network and discovered > a storm of arp broadcast traffic on my network. A tcpdump too indicated the > same thing. Sample tcpdump output is shown below: > > 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, length > 46 > 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length > 46 > 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: ICMP6, > neighbor solicitation, who has fe80::b699:baff:fec3:9370, length 32 > 16:10:12.270965 IP 192.168.2.131.netbios-dgm > 192.168.2.255.netbios-dgm: > NBT UDP PACKET(138) > 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length > 46 > 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length > 46 > > Now, interesting, hardly had I disconnected from the network than another > machine assumed my ip address. When I checked the dhcp server, that ip > address had not yet been assigned to another machine on the network. On > reconnecting my laptop back to the network, the dhcp server issued me with > my original ip address, however, wireshark indicated that their is a > duplicate of my very ip address on the network. The dhcp server still > maintained my laptop is the only one using the ip address. This is how I > came to the conclusion I have an issue with ARP. > > So..right now, I have the mac address of the other machine on the network > that is assuming to use my ip address and am hunting for it. However, this > doesn't seem to be the solution. > > I am also planning on implementing the port security feature on my > switches so that I have one mac address allowed per port. > > My question however is, is there any other way I can overcome this? > > > -- > Richard Zulu > gtug lead, Kampala (Uganda) > http://kampala.gtugs.org > --------------------------------------------------------- > http://www.linkedin.com/in/richardzulu > http://www.twitter.com/richardzulu > > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in any > way. > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Bernard Wanyama Technical Manager SYNTECH ASSOCIATES Ltd Cell: +256 712 193979 Fixed: +256 414 251591 Web: www.syntechug.com Email: [email protected]
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
