On Sun, 7 Aug 2005 00:23:49 +0200, "Miroslav Kubik" <[EMAIL PROTECTED]> wrote:
>Hello > >In our intranet is an attacker who flooding OpenBSD router by ARP requests. >Due to this we have trouble with internet connection. Is there a way how to >protect server against ARP poisoning attack? > >messages in /var/log/messages > >Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.249 by >00:e0:98:be:d3:cd on rl0 >Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.246 by >00:e0:98:c5:8b:b9 on rl0 >Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.245 by >00:e0:98:c5:9b:c5 on rl0 >Aug 6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.242 by >00:e0:98:c5:8b:b9 on rl0 >and still continue >........ > > >S pozdravem / Best Regards >Miroslav Kubik >IT Specialist >Enterprise Server Farms The other guys pointed you to how to handle protecting your openbsd servers from the arp poisoning (man arp and set the server to use static) but that will not do much good for your client machines that are trying to access the servers. You may want to not the poisoning is happening from multiple systems (note the MAC addresses) which means it could be a distributed network profiling/discovery tool or more likely, some kind of worm is loose on your network and it's looking for new victims. In the case of a worm, you should contact your Anti-Virus vendor because they are always interested in worm breakouts, can offer help on how you clean things up, and if it's a new worm, they get all excited and ask you to capture a copy of the worm so they can analyze it. Good Luck. Kind Regards, JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
