On Wed, Oct 18, 2006 at 11:09:35AM +0800, Lestat V wrote: > I encouter an fake MAC address problem: > > I found that on ARP table of my computer, all IP addresses in my LAN > have a same and pecular MAC address. On ARP table of two other > computers in the same LAN as mine, different IP addresses have a > unique MAC except that of my computer which has the same and pecular > MAC address. So, I guess you are saying that if you run 'arp -n' in 'You' and 'Other' systems in the same VLAN you see this: [ You ] Address HWtype HWAddress Other-1 ether MAC-X Other-2 ether MAC-X [Other-1] Address HWtype HWAddress Other-2 ether MAC-1 You ether MAC-X [Other-2] Address HWtype HWAddress Other-1 ether MAC-2 You ether MAC-X Right? How 'peculiar' is that MAC address you are seeing (MAC-X)? > Can it be normal? Or what may be going on my computer and the LAN? I think that the 'bridge' option that was brought up in the thread should be discarded because if you had: - Other-1 You ---(1) Bridge (2)---| - Other-2 Then 'You' would see 'Other-1' and 'Other-2' with MAC-X (the MAC address of the interface labeled (1) in the bridge) and the Other's would see 'You' with MAC-Y (the MAC address of the interface labeled (2) in the bridge), with MAC-X <> MAC-Y. Although one can setup a bridge's NICs to have the same MAC addresses it is rather unusual (and error-prone), you typically have one distinct MAC per NIC. To me, it really looks like you are being ARP-poisoned [0], a Rogue user is sending you gratuitous ARP packets to poison your cache for all IPs in the network and is doing likewise (for your IP) to all other hosts. A common tool to do this is 'arpspoof' (part of the dsniff package), ettercap can also do it. To discern if this is so take the MAC address of any 'Other' system in your same VLAN ('MAC-other') I'm going to tell you how would I (using tools available in Debian) would do it: 0.- Install arping and tcpdump (or ethereal, if you are GUI-inclined) (there are two packages providing arping, 'arping' or 'iputils-arping', choose either one) 1.- Run 'arping MAC-Other'. If you get answers from that host then, chances are, there's no bridge in between [1], you are being poisoned. 2.- Run 'tcdump -ni eth0 arp' (substitute eth0 with whatever interface you are using, you can also use ethereal) 3.- Clear your ARP cache (you can either use 'arp -d $hostname' for all hosts or simply do an 'ifdown eth0 / ifup eth0' 4.- (Do not generate any traffic in the system, this might require you stop a number of daemon services that try to connect to other hosts or to the Internet) see what ARP packets you get in tcpdump Do you see lots of traffic? (gratuitous ARPs for all the network). Does your ARP MAC table grow with systems you have not tried to 'talk' to? 5.- ping the IP address of 'Other' (you should see your system sending broadcast ARP packets asking for the IP's MAC) and see what ARP answers you get, do you get on ARP answer or more than one ARP answers from different MAC sources? If the answer to 4 or 5 is 'yes', then you are definitely being ARP poisoned. You can prevent this by either: - introducing the proper MAC address in your ARP table (use 'arp -s IP MAC' for that) (very cumbersome, time consuming and error prone) - install 'arptables' and filter out any ARP packets coming from the rogue user (arptables is like iptables, but for the layer 2) (much easier, and cleaner) If I were you I would get access to the switch (you are using a switch right?) and would track the MAC-per-port table to see who is the culprit (by looking for the 'peculiar' MAC there) Once the Rogue user is taken care of (or you have implemented filtering for his MAC using arptables), install 'arpwatch' [2]. It will watch ARP changes and mail you when an IP changes its MAC address. ( I haven't used it, but ettercap is supposed to be capable to detect ARP poisoning attacks too) Hope that helps, Javier [0] http://en.wikipedia.org/wiki/ARP_poisoning [1] Well, there *could* be a proxy-ARP bridge, but that's not what you are seeing. [2] There are other similar tools but they have not yet been packaged in Debian. These include: - arpalert: http://www.arpalert.org/ - Gnome ARP: http://projects.comu.edu.tr/garp - Antidote: http://antidote.sourceforge.net - Arphound: http://www.nottale.net/index.php?project=arphound - Arp monitor: http://planeta.terra.com.br/informatica/gleicon/code/index.html
Attachment:
signature.asc
Description: Digital signature