cancel
Showing results for 
Search instead for 
Did you mean: 

Network Security Guru?

N/A

Network Security Guru?

Any advice on the following would be much appreciated....

I have a wireless access point connected to my D-Link DSL-504 adsl modem / hub combo. The DSL-504 is providing a DHCP service on the network. The WAP has MAC filtering configured to only allow known devices to connect.
One evening I noticed the activity light on the WAP blinking when I knew there were no known wireless users connected. I also noticed the ADSL activity light blinking on the DSL-504. Naturally I started to worry.

Anyway, I set up Ethereal on my wired PC connected direct to the DSL-504 and proceeded to monitor the network packets. What I noticed were lots of ARP requests from the DSL-504 directed to an IP address that was in the DHCP allocation table, but assigned to a machine that was switched off. Also ARP requests were being made to the machine doing the sniffing. In both cases the target MAC address in the ARP requests were not the real MAC addresses of the machines allocated those IP addressed in the DHCP allocation table. Also the target MAC address changes between requests issued for the same IP address.

The ARPs continued even after I'd disconnected the WAP, so maybe they're originating from the internet?

The ARP requests were only ever for one or the other of the 2 IP addresses so it doesn't look like some one / thing is trying a range of IP addresses, though the fact that the MAC address is changing looks odd.

So, if anyone could shed light on this I'd much appreciated it.

Cheers,
David
3 REPLIES
N/A

Network Security Guru?

They could be coming from the net, what rules have you get setup on the firewall for the router?
N/A

Network Security Guru?

Ah, I think I've figured it out. I had a DMZ set up on the DSL-504 which pointed to a Linux machine running a bittorrent client and HTTP server. The bulk of the ARP requests were targeting that machine's IP address, even though it was powered down at the time. I also had some ports forwarded on to the other machine which was doing the sniffing. I disabled the port forwarding & DMZ, low and behold the ARPs died off.

I don't have the Linux box online all the time, so I think I'll leave the DMZ and port forwarding off unless I specifically need it.

Any idea what the ARPs are about? I found some stuff on the 'net saying they could be used to redirect network packets to a different machine, but is this a common attack over the internet? Is there a way to stop it & still have a DMZ or port forwarding set up?

Cheers,
David
N/A

Network Security Guru?

ARP is the protocol used to turn IP addresses into physical addresses - which the lower level ethernet protocol (ontop of which IP is sitting) uses to deliver the packets. So yes by fudging the ARP response an attacker can misdirect traffic... but equally you can't block ARP as most things will fail then Wink

ARP == Address Resolution Protocol which comprises two messages, A broadcast ARP request and a directed arp response.