LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-24-2007, 03:38 AM   #1
cristian1983
LQ Newbie
 
Registered: Feb 2007
Distribution: slackware
Posts: 4

Rep: Reputation: 0
Arp table poisoning


I have a 1000 computers as a network to administrate.My problem is that in the last 3 weeks i find a computer that is poisoning the arp table of my linux server; his mac address is coresponding to 10-20 ip address.He infects all the computers in the same subnet.My only options is to filter his mac from the nearest management switch and then call him to tell that his computer has a virus and need to be reinstalled the o.s.
Can anyone tell me a solution for this , other then make static entries in my linux arp table ?
Thanks
 
Old 12-24-2007, 03:42 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
solution... disable the switchport for the computer, refuse to allow it back on the network until it is fixed... simple.
 
Old 12-28-2007, 02:31 PM   #3
Deleriux
Member
 
Registered: Nov 2003
Posts: 89

Rep: Reputation: 17
Add a static ARP entry for the effected ip/mac.

Add an ebtables entry for that server that drops all arp packets from that mac address.

Code:
ebtables -A INPUT -p arp --src AB:AB:AB:AB:AB:AB -j DROP
That should work, at the cost of screwing up your routing for that mac address should it come online again with a new IP address.

I think though that acid_kewpie is right. Whilst that might sort the problem out for you the user causes a problem on the entire subnet by assuming the identity of other boxes on the local broadcast network. Ideally the person on the network needs to be removed completely until they fix the problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Arp-poisoning help! zaheer Linux - Networking 5 07-25-2007 11:34 PM
Arp Poisoning yawe_frek Linux - Security 3 05-26-2007 07:13 PM
arp poisoning Cisco counter measure? GUIPenguin General 1 10-14-2005 05:42 PM
ArpStar 0.5.0 Defeats ARP poisoning bassdemon Linux - Security 14 02-21-2005 02:32 PM
detecting/preventing arp cache poisoning? SocialEngineer Linux - Security 6 08-20-2004 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration