Due to the limitations of ip v4, legacy installations, ease of use, lack of hardware solutions on low end gear, and lack of resources to maintain port security in high end gear, this 20 year old attack vector is all too common. At least the Lawrence Berkeley National Laboratory provided us with a detection utility titled arpwatch, which has been available since 1992.
After identifying a suspected arp poison attack and pinpointing the affected ip address range, you may easily locate the attacker with this tool.
An example of this can be seen by performing a nmap scan of a local network.
In this example the 192.168.0.0/24 LAN segment is scanned using the following: Arpwatch package archive is somewhat dated, Jul 22, 2006.
If you are paranoid about people ARP spoofing or flooding on your network you can use ARPWatch-NG, ARPWatch-NG is a continue of the popular original ARPWatch from ftp://lbl.gov/.
ARPWatch monitors MAC adresses on your network and writes them into a file, last know timestamp and change notification is included.
It can be used it to monitor for unknown (and as such, likely to be intruder’s) mac adresses or somebody messing around with your ARP/DNS tables.
There have been quite a few fixes lately, so it’s recommended of course to get the latest version!
GNU nano 2.2.6 File: Address HWtype HWaddress Flags Mask Iface 192.1 (incomplete) wlan0 192.1 ether (incomplete) C wlan0 192.1 (incomplete) wlan0 192.1 (incomplete) wlan0 192.168.1.1 ether (incomplete) C eth0 192.168.1.25 ether (incomplete) C eth0 192.1 ether (incomplete) C wlan0 192.168.1.240 ether (incomplete) C eth0 192.1 (incomplete) wlan0 192.1 M A wlan0 However, I would use arpwatch to monitor ARP changes.
Assuming your attacker didn’t destroy your network and you can still access the server, you should quickly halt the attack.
Running this simple script will correct the arp table for all ip addresses on the default interface on a Free BSD server: #!
Address resolution protocol poisoning is a problem which plagues most of us on switched ip v4 networks.
Unfortunately this accounts for 95% of the worlds network infrastructure.