I have been facing a problem from almost 15 days. Let me explain you what i have been facing.

I am using RHEL 5 Acting as DHCP, Squid Proxy, Firewall, Bandwidth Shaper. My server has IP Address 10.10.10.1

Now from any client when i execute this command (arp -a 10.10.10.1), i should get the Physicall Address of my Server,I am not getting Server's MAC Address, whenever i execute this command i get different MAC Address. I am not getting SAME Address everytime, getting differect MAC Address eveytime.

Now due to this PING to Server is breaking up and Internet stops Working.

Can anyone please tell me some Solutions.

I also made a script to get all the MAC Addresses Againt my Server's IP. I got more than 350 MAC Addresses.

How can i solve this Problem.

I searched Google regarding ARP Poisoning i found following link.
http://packetstormsecurity.org/UNIX/utilities/

on the above stated link i found this script
http://packetstormsecurity.org/UNIX/utilities/aapd.c

As i dont know C Language so I dont know what this script will do but the description says
Please help me out in this problem.

Do any other computers on your LAN have that MAC address? Running 'arp -a' on the server should show the MACs of any machines communicating with it.

is this a flat network or a routed network ?

if the packet is passing through a router you will get the mac of the router interface rather than the mac of the destination server..

could try flushing the arp cache of the switches or routers in between..

Hi,

I have a Flat Network.

Yes the MAC Address i am getting are there on my network. I even tried flushing ARP...

Can you please tell me how to disable ARP on Server

I tried ifconfig eth1 -arp

Arp is required for layer 2 Ethernet communications to function.. without it you can forget using Ethernet..
just fire up wireshark too see what I mean about arp..

Are you sure your Ethernet switch isn't defective ?
or do you have some other issue in the physical layer ? bad cabling, bad NIC, etc..

It is because your network is infected by arp poisoning virus the solution for this problem is you have to implement static arps in the client and servers

This thread is rather old by now... I'd hesitate to jump to the conclusion that this is caused by arp poisoning. For starters, he's on RFC 1918 address space.

There are useful tools to help troubleshoot this sort of thing - e.g. arpwatch - but unless OP shows up again to revisit his previously dead thread, they're probably not worth discussing in detail.

Hi...

I have successfuly resolved this problem long time ago...i have created a custom software that needs to be isntalled at client side that cleans every thing....

Also i have switched to VPN, which is not vulnerable to such attacks. So all my problems regarding ARP Poisoning and ARP Attacks are soleved.

I created that software on VB6.0 platform, and is still under contineous upgradation.

Salamz,
mudasirm i neeeded client software if u think u can gave me im thankful to you.


Im waiting for reply
worldofaries@gmail.com

Worldofaries, If you have a windows client on your LAN that is sending false arp responses, it may be infected and should be reinstalled. A client side vb program would have to be run as Administrator. I suspect that the user has admin rights, and that is the main problem that lead to the Windows client being infected in the first place. Reinstall windows and configure it so the user doesn't run as administrator. It would be better to fix the underlining cause instead of applying a bandaid IMHO.