Hi Richard, As far as I know, no. The 'secure port' setting is about the best you can do for ARP security. Though, judging by your tcpdump log, that's not the problem.
The tcpdump log shows that 192.168.2.131 is repeatedly asking for the MAC address of 192.168.2.1 (and 192.168.2.1 responds each time). I wouldn't assume this is malicious -- aside from the fact that ARP traffic is commonplace on most networks, this particular exchange looks harmless. In any case, if a network host is really spamming ARP requests, I'd recommend that you hunt it down and give it a full look-over. If there's no problem with the OS/software, try replacing the NIC. As for the IP/DHCP issue, did you successfully ping the host which took your IP after disconnecting? If so, did you nmap scan it, figure out what its netbios name is, or otherwise attempt to identify it? Perhaps your service outage is related to an IP conflict with another machine? On a side note: The real danger with ARP is a man-in-the-middle attack since there's no security or verification mechanism in the protocol. For example, using ARP, I can tell your computer to send all traffic destined for the firewall to my MAC address. If I also tell the firewall to send all traffic destined for your computer to my MAC address, I become a relay point for traffic flowing between your computer and the firewall -- which means I can sniff your traffic without you noticing. This is why the port security feature exists: if you restrict each switch port to a single MAC address, individual computers can't pretend to be two different machines as in the above example. Regards, Kyle Spencer ----- Original message ----- > Hey, > > I am experiencing some kind of ARP poisoning causing a DOS on my network. > > I used wireshark to investigate the traffic on my network and discovered > a storm of arp broadcast traffic on my network. A tcpdump too indicated > the same thing. Sample tcpdump output is shown below: > > 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, > length 46 > 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: ICMP6, > neighbor solicitation, who has fe80::b699:baff:fec3:9370, length 32 > 16:10:12.270965 IP 192.168.2.131.netbios-dgm > 192.168.2.255.netbios-dgm: > NBT UDP PACKET(138) > 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui > Unknown), length 28 > 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, > length 46 > > Now, interesting, hardly had I disconnected from the network than another > machine assumed my ip address. When I checked the dhcp server, that ip > address had not yet been assigned to another machine on the network. On > reconnecting my laptop back to the network, the dhcp server issued me > with my original ip address, however, wireshark indicated that their is a > duplicate of my very ip address on the network. The dhcp server still > maintained my laptop is the only one using the ip address. This is how I > came to the conclusion I have an issue with ARP. > > So..right now, I have the mac address of the other machine on the network > that is assuming to use my ip address and am hunting for it. However, > this doesn't seem to be the solution. > > I am also planning on implementing the port security feature on my > switches so that I have one mac address allowed per port. > > My question however is, is there any other way I can overcome this? > > > -- > Richard Zulu > gtug lead, Kampala (Uganda) > http://kampala.gtugs.org > <http://kampala.gtugs.org> > --------------------------------------------------------- > http://www.linkedin.com/in/richardzulu > http://www.twitter.com/richardzulu _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
