brian_071computing
asked on
Network throws up MAC spoofing warning on one PC - How can I trace the root cause and fix the problem.
Hi,
I have been asked to find and fix (or dismiss) the cause of "MAC spoofing detected" errors appearing on one PC on the Network.
The network has approx. 50 devices. The PC runs Bullguard Internet Security and the security log shows this problem as an ARP reply with no preceding Request. The event occurs approx every 4 minutes. I used nbtscan to look at net devices and using this, the Security log, and arp -a have discovered the following.
The Sender of the ARP Reply is always pruporting to be 10.1.1.1
10.1.1.1 is supposed to be the file server on the Network
Approx half the messages have 00-80-c8-b9-f1-c9 as the Sender MAC, the other half are from 00-80-c8-b9-f1-cc (NOTE: only last digit differs !!)
My host PC is 10.1.1.15, and naturally the ARP table changes the MAC associated with 10.1.1.1 each time this message is received
nbtscan (Netbios tracer) links the Server (10.1.1.1) to the first MAC address.
My question is this - Does anyone know the source of the problem ? Does it represent a weakness in the network ? or a feature of the network to which Bullguard is over-reacting ? I don't know enough about networking to answer this myself.
Many thanks, Brian.
I have been asked to find and fix (or dismiss) the cause of "MAC spoofing detected" errors appearing on one PC on the Network.
The network has approx. 50 devices. The PC runs Bullguard Internet Security and the security log shows this problem as an ARP reply with no preceding Request. The event occurs approx every 4 minutes. I used nbtscan to look at net devices and using this, the Security log, and arp -a have discovered the following.
The Sender of the ARP Reply is always pruporting to be 10.1.1.1
10.1.1.1 is supposed to be the file server on the Network
Approx half the messages have 00-80-c8-b9-f1-c9 as the Sender MAC, the other half are from 00-80-c8-b9-f1-cc (NOTE: only last digit differs !!)
My host PC is 10.1.1.15, and naturally the ARP table changes the MAC associated with 10.1.1.1 each time this message is received
nbtscan (Netbios tracer) links the Server (10.1.1.1) to the first MAC address.
My question is this - Does anyone know the source of the problem ? Does it represent a weakness in the network ? or a feature of the network to which Bullguard is over-reacting ? I don't know enough about networking to answer this myself.
Many thanks, Brian.
ASKER
Hi Cyclops,
I don't work at the place so will have to arrange another visit. I know they are not Cisco switches, and doubt they are managed ones. I know about man-in-the-middle attacks but what leads me to believe that this is something different is the fact the the 2 MACs coming from 10.1.1.1 differ by only 1 character blah-blah-blah-CC and blah-blah-blah-C9 ?
Next time I visit I will try to get a password for the Server and use "getmac" to confirm its MAC....
I don't work at the place so will have to arrange another visit. I know they are not Cisco switches, and doubt they are managed ones. I know about man-in-the-middle attacks but what leads me to believe that this is something different is the fact the the 2 MACs coming from 10.1.1.1 differ by only 1 character blah-blah-blah-CC and blah-blah-blah-C9 ?
Next time I visit I will try to get a password for the Server and use "getmac" to confirm its MAC....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Managed to get to the site today. Used WireShark at 10.1.1.15 and at the File Server 10.1.1.1. The ARP stuff is all fine at the Server but is still causing the alerts at 10.1.1.15 - Using a multi-ping tool the device with the offending MAC is not showing up in any ARP table - so will have to visit each PC on network in turn at some stage and see can it be found. Maybe its malware running that is generating false IP stuff and false MAC identitys just to try to annoy the user of 10.1.1.15 ? Unfortunately the two 25 port switches are unmanaged, dumb devices. Well - I'm off for two weeks Holidays in St. Louis, South IL and Memphis, TN. Will respond on my return, Thanks, Brian.
it probably wouldn't show in any arp table since it'd have to show under a wrong IP. I take it that it didn't show under the firewalls arp table either?
ASKER
Hi Cyclops - can't login to the Zyxel modem to check - may get password on my return and look.
Best REgards, Brian.
i know if you have everything going thru a cisco switch you can do a
sh mac-address-table
and see which mac belongs to which port and can atleast help in identifying the problem host
sounds like its something that needs to be looked into though. could be a compromised host or someone doing something their not suppose to be doing. this type of attack allows the attacker to redirect network traffic thru their machine "seeing" everything that is going on. They can then forward that traffic to the correct mac so the orig client doesn't know what is happening.