It is not even 30seconds...it is like 5 entries every second...its a storm On 16 Sep 2011 21:28, "Rocco Radisch" <[email protected]> wrote: > > Do those entries appear in a regular interval, like every 30 seconds? > > > > On 16/09/2011 5:53 PM, Richard Zulu wrote: >> >> Bernard and Rocco, >> >> Thanks for the responses, Let me look into your suggestions. >> >> Rocco, use of arpwatch has revealed the same as illustrated in my previous email, the search for that mac address is still on :) >> >> arpwatch: flip flop 192.168.2.131 00:1d:09:48:fe:59 (00:23:ae:8c:78:24) eth0 >> arpwatch: flip flop 192.168.2.131 00:1d:09:48:fe:59 (00:23:ae:8c:78:24) eth0 >> arpwatch: flip flop 192.168.2.131 00:23:ae:8c:78:24 (00:1d:09:48:fe:59) eth0 >> >> Thanks >> >> >> >> On Fri, Sep 16, 2011 at 5:26 PM, Bernard Wanyama <[email protected]> wrote: >>> >>> Hi Richard, >>> >>> This is most probably a virus. >>> Saw it at G-Uganda last week and saw it again today at a client's place. >>> >>> Isolate the rogue DHCP server and eliminate. You can see which IP is it by looking at the affected machine's DHCP lease info. >>> It also gives a rogue DNS server 188.x.x.x to the affected machines. >>> >>> Kind regards, >>> Bernard >>> >>> >>> On 16 September 2011 17:21, Rocco Radisch <[email protected]> wrote: >>>> >>>> Sorry to hear that Richard. >>>> ARP Poisoning is some very nasty stuff, up to the point of faking certificates and spoofing passwords of so called secure services. >>>> Try arp watch in the meantime. http://sid.rstack.org/arp-sk/ >>>> That would only log changes in the ARP cache and arp announcement from your machine. >>>> There are devices you hook into the network which do the same. That only applies for 1 subnet though. >>>> Final solution is as you said port security via switches. >>>> To protect your firewall (e.g. pfSense/Monowall) there are some kernel (module) based solutions protecting from this kind of attacks. The firewall would prevent any change of ip/mac associations so at least your link from the machines to the net is "secured" >>>> Regards, >>>> Rocco >>>> >>>> >>>> >>>> On 16/09/2011 5:13 PM, Richard Zulu wrote: >>>>> >>>>> Hey, >>>>> >>>>> I am experiencing some kind of ARP poisoning causing a DOS on my network. >>>>> >>>>> I used wireshark to investigate the traffic on my network and discovered a storm of arp broadcast traffic on my network. A tcpdump too indicated the same thing. Sample tcpdump output is shown below: >>>>> >>>>> 16:10:12.270910 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 >>>>> 16:10:12.270915 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 >>>>> 16:10:12.270921 ARP, Request who-has 192.168.2.131 tell 192.168.2.4, length 46 >>>>> 16:10:12.270927 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 >>>>> 16:10:12.270932 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 >>>>> 16:10:12.270961 IP6 fe80::f561:405:1bcb:b766 > ff02::1:ffc3:9370: ICMP6, neighbor solicitation, who has fe80::b699:baff:fec3:9370, length 32 >>>>> 16:10:12.270965 IP 192.168.2.131.netbios-dgm > 192.168.2.255.netbios-dgm: NBT UDP PACKET(138) >>>>> 16:10:12.270974 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 >>>>> 16:10:12.270979 ARP, Reply 192.168.2.1 is-at 00:e0:81:30:7b:6e (oui Unknown), length 28 >>>>> 16:10:12.270985 ARP, Request who-has 192.168.2.1 tell 192.168.2.131, length 46 >>>>> >>>>> Now, interesting, hardly had I disconnected from the network than another machine assumed my ip address. When I checked the dhcp server, that ip address had not yet been assigned to another machine on the network. On reconnecting my laptop back to the network, the dhcp server issued me with my original ip address, however, wireshark indicated that their is a duplicate of my very ip address on the network. The dhcp server still maintained my laptop is the only one using the ip address. This is how I came to the conclusion I have an issue with ARP. >>>>> >>>>> So..right now, I have the mac address of the other machine on the network that is assuming to use my ip address and am hunting for it. However, this doesn't seem to be the solution. >>>>> >>>>> I am also planning on implementing the port security feature on my switches so that I have one mac address allowed per port. >>>>> >>>>> My question however is, is there any other way I can overcome this? >>>>> >>>>> >>>>> -- >>>>> Richard Zulu >>>>> gtug lead, Kampala (Uganda) >>>>> http://kampala.gtugs.org >>>>> --------------------------------------------------------- >>>>> http://www.linkedin.com/in/richardzulu >>>>> http://www.twitter.com/richardzulu >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> The Uganda Linux User Group: http://linux.or.ug >>>>> >>>>> Send messages to this mailing list by addressing e-mails to: [email protected] >>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>> >>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ >>>>> >>>>> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. >>>> >>>> >>>> _______________________________________________ >>>> The Uganda Linux User Group: http://linux.or.ug >>>> >>>> Send messages to this mailing list by addressing e-mails to: [email protected] >>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. >>> >>> >>> >>> >>> -- >>> Bernard Wanyama >>> Technical Manager >>> SYNTECH ASSOCIATES Ltd >>> Cell: +256 712 193979 >>> Fixed: +256 414 251591 >>> Web: www.syntechug.com >>> Email: [email protected] >>> >>> >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. >> >> >> >> >> -- >> Richard Zulu >> gtug lead, Kampala (Uganda) >> http://kampala.gtugs.org >> --------------------------------------------------------- >> http://www.linkedin.com/in/richardzulu >> http://www.twitter.com/richardzulu >> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way. > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug
Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
