| View previous topic :: View next topic |
| Author |
Message |
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
 Posted: Mon Apr 25, 2005 5:59 am Post subject: A few ARP poisoning prevention questions. |
 |
|
I found a great scanner by searching the previous posts discussing ARP poison detection programs. The scanner's name is NAST. To activate ARP Poison attack monitor mode I just run nast -c. Now my question the the following:
First of all on my home gateway box I typically get things like:
| Code: | Verifing: xxx.xxx.xxx.1 Is 00:02:4B:B5:F0:8C ? Correct
Verifing: xxx.xxx.xxx.1 Is 00:02:4B:B5:F0:8C ? Correct |
Over and over again. Which is good, since I've yet to see any variations.
However on my dedicated server at a hosting company which has other dedicated servers (some of which get hacked due to poor security and used for bad purposes on the network) I notice sometimes I get things like this:
| Code: | Verifing: xxx.xxx.xxx.17 Is 00:0C:76:B5:DA:04 ? Correct
Verifing: xxx.xxx.xxx.1 Is 00:D0:02:42:9C:0A ? Correct
Verifing: xxx.xxx.xxx.1 Is 00:D0:02:42:9C:0A ? Correct
Verifing: xxx.xxx.xxx.27 Is 00:11:09:65:A3:A6 ? Correct
Verifing: xxx.xxx.xxx.33 Is 00:11:09:2B:B7:AB ? Correct
Verifing: xxx.xxx.xxx.50 Is 00:11:09:C5:0A:73 ? Correct
Verifing: xxx.xxx.xxx.5 Is 00:0C:76:90:C5:2E ? Correct
Verifing: xxx.xxx.xxx.43 Is 00:0C:76:8F:C9:E4 ? Correct
Verifing: xxx.xxx.xxx.12 Is 00:0C:76:B4:C9:2D ? Correct
Verifing: xxx.xxx.xxx.10 Is 00:02:B3:D1:E4:C3 ? Correct
Verifing: xxx.xxx.xxx.1 Is 00:D0:02:42:9C:0A ? Correct
Verifing: xxx.xxx.xxx.21 Is 00:11:09:2B:B7:A8 ? Correct |
Now my question is, are those anything to worry about or is that just malfunctions in the server networking setup by their owners and actions such as requesting a dhcp or something of the sort?
Does anyone know any other tips they would like to share on ARP poisoning? I was thinking of implementing ARP Star (http://arpstar.sourceforge.net/) which supposedly blocks ARP at the source, however I prefer to have no module support on server machines when no modules are required so I a'm still considering this option. Does anyone have experience with this project? If so could you share any tips on configuring it? From what it seems this can also make the machine connections go down sometimes due to poor configuration in the module, and downtime would be pretty bad.
Thank you in advance. |
|
| Back to top |
|
 |
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
| Posted: Wed Apr 27, 2005 3:10 pm Post subject: |
|
|
| Anyone? |
|
| Back to top |
|
|
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
| Posted: Fri Apr 29, 2005 6:53 pm Post subject: |
|
|
| bump |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Fri Apr 29, 2005 7:36 pm Post subject: |
|
|
I'm no expert in ARP-poisoning, but I do know something about networking.
IMHO, those messages just display the ARP-requests that the server sees. Those are absolutely normal: if you want to contact another device on the same ethernet segment, you NEED his MAC-address.
This includes contacting the router to get you to the internet, you need his MAC as well.
There are 2 ways to get that MAC: enter it manualy (I guess almost noone does this anymore), or ARP for it. I guess the logs you see is just a computer that is ARP-ing for a MAC. i think NAST is veryfing that ARP-response, that's what you see. |
|
| Back to top |
|
|
|
Networking & Security
