On Wed, Oct 18, 2006 at 11:09:35AM +0800, Lestat V wrote:
> I encouter an fake MAC address problem:
>
> I found that on ARP table of my computer, all IP addresses in my LAN
> have a same and pecular MAC address. On ARP table of two other
> computers in the same LAN as mine, different IP addresses have a
> unique MAC except that of my computer which has the same and pecular
> MAC address.
So, I guess you are saying that if you run 'arp -n' in 'You' and 'Other'
systems in the same VLAN you see this:
[ You ]
Address HWtype HWAddress
Other-1 ether MAC-X
Other-2 ether MAC-X
[Other-1]
Address HWtype HWAddress
Other-2 ether MAC-1
You ether MAC-X
[Other-2]
Address HWtype HWAddress
Other-1 ether MAC-2
You ether MAC-X
Right? How 'peculiar' is that MAC address you are seeing (MAC-X)?
> Can it be normal? Or what may be going on my computer and the LAN?
I think that the 'bridge' option that was brought up in the thread should be
discarded because if you had:
- Other-1
You ---(1) Bridge (2)---|
- Other-2
Then 'You' would see 'Other-1' and 'Other-2' with MAC-X (the MAC address of
the interface labeled (1) in the bridge) and the Other's would see 'You' with
MAC-Y (the MAC address of the interface labeled (2) in the bridge), with
MAC-X <> MAC-Y. Although one can setup a bridge's NICs to have the same MAC
addresses it is rather unusual (and error-prone), you typically have one
distinct MAC per NIC.
To me, it really looks like you are being ARP-poisoned [0], a Rogue user is
sending you gratuitous ARP packets to poison your cache for all IPs in the
network and is doing likewise (for your IP) to all other hosts. A common tool
to do this is 'arpspoof' (part of the dsniff package), ettercap can also do
it.
To discern if this is so take the MAC address of any 'Other' system
in your same VLAN ('MAC-other') I'm going to tell you how would I (using
tools available in Debian) would do it:
0.- Install arping and tcpdump (or ethereal, if you are GUI-inclined)
(there are two packages providing arping, 'arping' or 'iputils-arping',
choose either one)
1.- Run 'arping MAC-Other'.
If you get answers from that host then, chances are, there's no bridge in
between [1], you are being poisoned.
2.- Run 'tcdump -ni eth0 arp'
(substitute eth0 with whatever interface you are using, you can also use
ethereal)
3.- Clear your ARP cache (you can either use 'arp -d $hostname' for all hosts
or simply do an 'ifdown eth0 / ifup eth0'
4.- (Do not generate any traffic in the system, this might require you stop a
number of daemon services that try to connect to other hosts or to the
Internet) see what ARP packets you get
in tcpdump Do you see lots of traffic? (gratuitous ARPs for all the network).
Does your ARP MAC table grow with systems you have not tried to 'talk'
to?
5.- ping the IP address of 'Other' (you should see your system sending
broadcast ARP packets asking for the IP's MAC) and see what ARP answers
you get, do you get on ARP answer or more than one ARP answers from
different MAC sources?
If the answer to 4 or 5 is 'yes', then you are definitely being ARP poisoned.
You can prevent this by either:
- introducing the proper MAC address in your ARP table (use 'arp -s IP MAC' for that)
(very cumbersome, time consuming and error prone)
- install 'arptables' and filter out any ARP packets coming from the rogue
user (arptables is like iptables, but for the layer 2)
(much easier, and cleaner)
If I were you I would get access to the switch (you are using a switch
right?) and would track the MAC-per-port table to see who is the culprit (by
looking for the 'peculiar' MAC there)
Once the Rogue user is taken care of (or you have implemented filtering for
his MAC using arptables), install 'arpwatch' [2]. It will watch ARP changes
and mail you when an IP changes its MAC address. ( I haven't used it, but
ettercap is supposed to be capable to detect ARP poisoning attacks too)
Hope that helps,
Javier
[0] http://en.wikipedia.org/wiki/ARP_poisoning
[1] Well, there *could* be a proxy-ARP bridge, but that's not what you are
seeing.
[2] There are other similar tools but they have not yet been packaged in Debian.
These include:
- arpalert: http://www.arpalert.org/
- Gnome ARP: http://projects.comu.edu.tr/garp
- Antidote: http://antidote.sourceforge.net
- Arphound: http://www.nottale.net/index.php?project=arphound
- Arp monitor:
http://planeta.terra.com.br/informatica/gleicon/code/index.html
Attachment:
signature.asc
Description: Digital signature