ARP cache poisoning?

Sum1 · 08-31-2010, 06:24 PM

I've completed some recon. of my environment and have found very few instances of port scanning, no instances of brute force attacks, denial-of-service attacks, etc. However, I can't figure out what's happening all day with these raging streams of endless ARP requests.

What is happening here? Is this simply the normal life of a modern cable internet connection, where multiple routers and dns servers are constantly updating the geography map of network connections and peers?
This sort of activity goes on and on 24/7, on my internet-facing nic:

Code:

18:35:03.375596 ARP, Request who-has 76.28.95.239 tell 76.28.88.1, length 46
18:35:03.380600 ARP, Request who-has 71.192.164.42 tell 71.192.164.1, length 46
18:35:03.425131 ARP, Request who-has 76.127.176.75 tell 76.127.176.1, length 46
18:35:03.471679 ARP, Request who-has 71.234.235.112 tell 71.234.232.1, length 46
18:35:03.590344 ARP, Request who-has 76.28.94.127 tell 76.28.88.1, length 46
18:35:03.631894 ARP, Request who-has 76.28.92.160 tell 76.28.88.1, length 46
18:35:03.643407 ARP, Request who-has 71.192.164.82 tell 71.192.164.1, length 46
18:35:03.998912 ARP, Request who-has 76.28.94.61 tell 76.28.88.1, length 46
18:35:04.024931 ARP, Request who-has 76.127.178.33 tell 76.127.176.1, length 46
18:35:04.035498 ARP, Request who-has 71.233.155.211 tell 71.233.152.1, length 46
18:35:04.111584 ARP, Request who-has 71.234.192.71 tell 71.234.192.1, length 46
18:35:04.115576 ARP, Request who-has 76.28.93.200 tell 76.28.88.1, length 46
18:35:04.120573 ARP, Request who-has 71.192.165.69 tell 71.192.164.1, length 46
18:35:04.220707 ARP, Request who-has 71.192.164.172 tell 71.192.164.1, length 46
18:35:04.398451 ARP, Request who-has 76.127.179.196 tell 76.127.176.1, length 46
18:35:04.407954 ARP, Request who-has 71.233.154.42 tell 71.233.152.1, length 46
18:35:04.439988 ARP, Request who-has 71.192.165.10 tell 71.192.164.1, length 46
18:35:04.472042 ARP, Request who-has 76.28.93.54 tell 76.28.88.1, length 46
18:35:04.508594 ARP, Request who-has 76.28.91.219 tell 76.28.88.1, length 46
18:35:04.512086 ARP, Request who-has 73.157.159.164 tell 73.157.152.1, length 46
18:35:04.617254 ARP, Request who-has 71.234.192.188 tell 71.234.192.1, length 46
18:35:04.620230 ARP, Request who-has 76.127.179.3 tell 76.127.176.1, length 46
18:35:04.766958 ARP, Request who-has 71.192.165.95 tell 71.192.164.1, length 46
18:35:04.819013 ARP, Request who-has 71.233.153.114 tell 71.233.152.1, length 46
18:35:04.939696 ARP, Request who-has 71.192.165.212 tell 71.192.164.1, length 46
18:35:05.076877 ARP, Request who-has 71.234.192.69 tell 71.234.192.1, length 46
18:35:05.133445 ARP, Request who-has 71.234.192.7 tell 71.234.192.1, length 46
18:35:05.139442 ARP, Request who-has 24.61.186.154 tell 24.61.186.1, length 46
18:35:05.149959 ARP, Request who-has 24.61.187.181 tell 24.61.186.1, length 46
18:35:05.259129 ARP, Request who-has 71.192.166.42 tell 71.192.164.1, length 46
18:35:05.314202 ARP, Request who-has 71.192.165.184 tell 71.192.164.1, length 46
18:35:05.333717 ARP, Request who-has 71.192.167.57 tell 71.192.164.1, length 46
18:35:05.447381 ARP, Request who-has 71.234.193.173 tell 71.234.192.1, length 46
18:35:05.523995 ARP, Request who-has 76.127.177.126 tell 76.127.176.1, length 46
18:35:05.572545 ARP, Request who-has 71.234.193.133 tell 71.234.192.1, length 46
18:35:05.867456 ARP, Request who-has 71.233.155.155 tell 71.233.152.1, length 46
18:35:05.870444 ARP, Request who-has 71.234.195.244 tell 71.234.192.1, length 46
18:35:05.891496 ARP, Request who-has 76.127.176.38 tell 76.127.176.1, length 46
18:35:06.067732 ARP, Request who-has 76.28.92.170 tell 76.28.88.1, length 46
18:35:06.081233 ARP, Request who-has 71.233.153.104 tell 71.233.152.1, length 46
18:35:06.118783 ARP, Request who-has 76.28.93.200 tell 76.28.88.1, length 46
18:35:06.144312 ARP, Request who-has 71.233.154.235 tell 71.233.152.1, length 46
18:35:06.194894 ARP, Request who-has 76.127.176.205 tell 76.127.176.1, length 46
18:35:06.201891 ARP, Request who-has 76.28.95.87 tell 76.28.88.1, length 46
18:35:06.252470 ARP, Request who-has 24.61.187.87 tell 24.61.186.1, length 46
18:35:06.269493 ARP, Request who-has 76.28.90.44 tell 76.28.88.1, length 46
18:35:06.332580 ARP, Request who-has 71.234.232.50 tell 71.234.232.1, length 46
18:35:06.360631 ARP, Request who-has 76.28.89.120 tell 76.28.88.1, length 46
18:35:06.523839 ARP, Request who-has 76.127.179.196 tell 76.127.176.1, length 46
18:35:06.542368 ARP, Request who-has 71.233.154.177 tell 71.233.152.1, length 46
18:35:06.554373 ARP, Request who-has 76.28.94.127 tell 76.28.88.1, length 46
18:35:06.785206 ARP, Request who-has 76.28.92.15 tell 76.28.88.1, length 46
18:35:06.872828 ARP, Request who-has 71.234.234.120 tell 71.234.232.1, length 46
18:35:06.891364 ARP, Request who-has 71.192.165.69 tell 71.192.164.1, length 46
18:35:06.943917 ARP, Request who-has 71.234.193.231 tell 71.234.192.1, length 46
18:35:06.964450 ARP, Request who-has 74.16.171.102 tell 74.16.168.1, length 46
18:35:06.969459 ARP, Request who-has 76.28.94.61 tell 76.28.88.1, length 46
18:35:06.986976 ARP, Request who-has 71.233.155.195 tell 71.233.152.1, length 46
18:35:07.014007 ARP, Request who-has 76.28.89.125 tell 76.28.88.1, length 46
18:35:07.036541 ARP, Request who-has 76.127.178.33 tell 76.127.176.1, length 46
18:35:07.290912 ARP, Request who-has 76.127.176.76 tell 76.127.176.1, length 46

None of these addresses are on my network nor are they my dns server.
Is this an example of attempted ARP cache poisoning?

Suggestions and insights very much appreciated.

corp769 · 09-01-2010, 02:41 AM

yes it is. are you on a wireless router?

Sum1 · 09-01-2010, 07:29 AM

Quote:

Originally Posted by corp769

yes it is. are you on a wireless router?

No wireless router - 2 x 10/100 cat5 nics: a)internet-facing and b) lan-facing.

I have a wireless access point behind the linux router/firewall box that uses the lan-facing nic as a gateway to the internet.

When I monitor the lan-facing nic., there's no traffic other than the occasional dhcp server/client lease and whatever traffic my wired and wireless lan computers are making on the net.

Is there any way to squelch, redirect, reject, or drop, all the ARP traffic on the internet-facing nic.

I've taken these steps in my iptables setup:

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

But I'm not certain if this is enough.

Do you know of other methods I can employ to squash ARP poisoning attempts. Thanks for your help.

anomie · 09-01-2010, 10:38 AM

Hmm, please 'splain how this layer 2 activity constitutes ARP poisoning attempts..??

In each case, you have a x.y.z.1 (likely a router) broadcasting a query. It may be odd that the queries are hitting your host, but I don't see anything harmful.

corp769 · 09-01-2010, 03:05 PM

yes that is right. in that case, it is just a broadcast. nothing harmful at all, unless there is someone on the network doing something.... but in all reality, just looks like standard broadcasts to me.

Sum1 · 09-01-2010, 04:19 PM

Anomie and Corp, thank you very much for your insight and guidance.