Possible ARP Attack

Discussion in 'Capsa Network Analyzer' started by sk309, Sep 8, 2010.

Thread Status:
Not open for further replies.
  1. sk309

    sk309 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    2
    We are getting a lot of ARP scans on the network particularly from servers sending ARP requests. The signs are similar to http://www.colasoft.com/capsa/troubleshoot_arp_attacks.php?id=demo.

    However the problem is that these are servers that are doing the ARPing. How do we determine that this is really a problem and if so, what steps does one take to fix it.

    Other readings I have found state to cut the machine from the LAN, however, cannot easily do that with domain controllers.

    How does one identify from that actual server that there is a problem?
     
  2. Colasoft Support

    Colasoft Support Colasoft Moderator

    Joined:
    Dec 6, 2007
    Posts:
    254
    Hi sk309,

    Can you tell me more about the server? And packet files of your attack is appreciated.
     
  3. sk309

    sk309 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    2
    It is various servers that are doing it. e.g. under diagnosis, the scan has been running for 22 minutes and there are 460 ARP scans. One of the servers is the Domain Controller and attached are the packet traces. There is also a weird IP address: 192.168.30.32 that does scans. When the MAC is tracked down, it ends up being one of the Windows 2003 servers. However, we have not bound that IP.

    The ARP ratio is at this time 1.3MB in requests to 14K in responses in a 25 minute time.

    Note: The attached files are Capsa captures. The ext. has been changed to txt. so that I could upload them.

     

    Attached Files:

Thread Status:
Not open for further replies.