ARP Poisoning
Dan Lukes
dan at obluda.cz
Sat Apr 12 01:38:49 UTC 2008
budsz napsal/wrote, On 04/12/08 01:58:
> I got movement ARP entry to other MAC ADDR
> on the same IP ADDR. Everyone know what happen is? Is that ARP
> Poisoning.
Not necessary. It may be misconfigured computer (configured statically
to use an address assigned to another computer). Or there may be an
unauthorized DHCP server - for example misconfigured Windows with two or
more NICs may run one causing the IP conflicts. Yes, it may be
intentional attack also.
How to resolve ? You need to found the source of problem and disconnect
it. If it is misconfiguration, you may identify the computer via MAC. If
it is attack and your LAN is not so large, you may try to disconnect
parts of them - when problem disappear you know the segment of the
computer you are searching for.
If your LAN isn't small you need to consult your switches from where
the attacker MAC come. You can't build reliable large LAN with dumb
switches, so I'm sure you have smart switches on your LAN.
But it seems to me your question has nothing to do with FreeBSD with
the exception that there is one computer with FreeBSD connected to
problematic LAN.
Dan
More information about the freebsd-security
mailing list