freebsd security - Apr 2008 - ARP Poisoning

Hallo,

I've Lan with configure XP system and FreeBSD acting as router. So I
get stranger troble is disconnecting each computer together. This
happened with random time, maybe about 15 minutes after running as
well. In /var/log/message I got movement ARP entry to other MAC ADDR
on the same IP ADDR. Everyone know what happen is? Is that ARP
Poisoning. If the answer yes, how to preventing or resoloving this
problem?

Thanks You For Advance.

-- 
budsz

budsz napsal/wrote, On 04/12/08 01:58:
> I got movement ARP entry to other MAC ADDR
> on the same IP ADDR. Everyone know what happen is? Is that ARP
> Poisoning. 
	Not necessary. It may be misconfigured computer (configured statically 
to use an address assigned to another computer). Or there may be an 
unauthorized DHCP server - for example misconfigured Windows with two or 
more NICs may run one causing the IP conflicts. Yes, it may be 
intentional attack also.

	How to resolve ? You need to found the source of problem and disconnect 
it. If it is misconfiguration, you may identify the computer via MAC. If 
it is attack and your LAN is not so large, you may try to disconnect 
parts of them - when problem disappear you know the segment of the 
computer you are searching for.

	If your LAN isn't small you need to consult your switches from where 
the attacker MAC come. You can't build reliable large LAN with dumb 
switches, so I'm sure you have smart switches on your LAN.

	But it seems to me your question has nothing to do with FreeBSD with 
the exception that there is one computer with FreeBSD connected to 
problematic LAN.


						Dan