Results 1 to 7 of 7

Thread: question about arp poison

  1. #1
    Just burned his ISO
    Join Date
    Apr 2008
    Location
    Vaginatown
    Posts
    9

    Default question about arp poison

    Some dude who's an intern at my school, performed a mitm attack with arp poison on our school's network. Now suddenly his laptop crashed and shutted down. He wasnt able to successfully shut down ettercap and since then, the network acted crazy for like 3 weeks how is this possible that an arp poison causes trouble for 3 weeks, but he only ran the program for 5 minutes?

  2. #2
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    15

    Default

    Well although it is possible for the arp poison to still be apparent after a while. Im not sure it would be after 3 weeks, the arp cache should have been flushed and repopulated by then.

  3. #3
    Just burned his ISO
    Join Date
    Apr 2008
    Location
    Vaginatown
    Posts
    9

    Default

    Exactly!

    We manually cleared the arp table on every router, but it got poisoned over and over again with the same mac address that hasn't been online since the 2nd day of the problem. We also pulled the plugg from some switches but not from the routers that would have fixed the problem but we didnt get the permission to do that.

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    An arp storm could theoretically last indefinitely, though there would have to be some serious misconfigurations and flaws in the various networking hardware for it to happen - something to get the routing team to look into.

    Assuming it is still happening right now, I recommend you schedule some downtime on all the servers for an afternoon, and cite the problem (and the causer), then just shut down the switches and routers for a couple of seconds.

    Or, you could just block that Mac address. It's a crappy problem solver, but if it works.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    1

    Default

    (oohhh, first post)

    Are you sure that the MAC address is actually from his laptop and some other person hasn't executed something similar on the network.

    If you've cleared cache on all routers etc, and the MAC keeps coming back, you could possibly assume that this particular computer is active on the network. You could try tracking the MAC back to a switch port etc to find it.

  6. #6
    Just burned his ISO
    Join Date
    Apr 2008
    Location
    Vaginatown
    Posts
    9

    Default

    Yes, I am sure it was his MAC.

    We have tried tracking the MAC address, but it was his laptop, and his laptop hasnt been online since he performed the attack.

    The problem is solved now by unplugging all power cords from every router. We know now that the network is poorly secured, is there any way to make the network arp-poison secure?

  7. #7
    scottsee
    Guest

    Default

    Quote Originally Posted by Knuckles View Post
    Yes, I am sure it was his MAC.

    We have tried tracking the MAC address, but it was his laptop, and his laptop hasnt been online since he performed the attack.

    The problem is solved now by unplugging all power cords from every router. We know now that the network is poorly secured, is there any way to make the network arp-poison secure?
    yes, if you are using cisco devices you can configure self defending

    Cisco Catalyst Integrated Security-Enabling the Self-Defending Network - Cisco Systems

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •