Well although it is possible for the arp poison to still be apparent after a while. Im not sure it would be after 3 weeks, the arp cache should have been flushed and repopulated by then.
question about arp poison
Some dude who's an intern at my school, performed a mitm attack with arp poison on our school's network. Now suddenly his laptop crashed and shutted down. He wasnt able to successfully shut down ettercap and since then, the network acted crazy for like 3 weeks how is this possible that an arp poison causes trouble for 3 weeks, but he only ran the program for 5 minutes?
Well although it is possible for the arp poison to still be apparent after a while. Im not sure it would be after 3 weeks, the arp cache should have been flushed and repopulated by then.
Exactly!
We manually cleared the arp table on every router, but it got poisoned over and over again with the same mac address that hasn't been online since the 2nd day of the problem. We also pulled the plugg from some switches but not from the routers that would have fixed the problem but we didnt get the permission to do that.
An arp storm could theoretically last indefinitely, though there would have to be some serious misconfigurations and flaws in the various networking hardware for it to happen - something to get the routing team to look into.
Assuming it is still happening right now, I recommend you schedule some downtime on all the servers for an afternoon, and cite the problem (and the causer), then just shut down the switches and routers for a couple of seconds.
Or, you could just block that Mac address. It's a crappy problem solver, but if it works.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
(oohhh, first post)
Are you sure that the MAC address is actually from his laptop and some other person hasn't executed something similar on the network.
If you've cleared cache on all routers etc, and the MAC keeps coming back, you could possibly assume that this particular computer is active on the network. You could try tracking the MAC back to a switch port etc to find it.
Yes, I am sure it was his MAC.
We have tried tracking the MAC address, but it was his laptop, and his laptop hasnt been online since he performed the attack.
The problem is solved now by unplugging all power cords from every router. We know now that the network is poorly secured, is there any way to make the network arp-poison secure?
yes, if you are using cisco devices you can configure self defendingOriginally Posted by Knuckles
Cisco Catalyst Integrated Security-Enabling the Self-Defending Network - Cisco Systems
Posting Permissions