Network throws up MAC spoofing warning on one PC - How can I trace the root cause and fix the problem.
Posted on 2006-07-20
I have been asked to find and fix (or dismiss) the cause of "MAC spoofing detected" errors appearing on one PC on the Network.
The network has approx. 50 devices. The PC runs Bullguard Internet Security and the security log shows this problem as an ARP reply with no preceding Request. The event occurs approx every 4 minutes. I used nbtscan to look at net devices and using this, the Security log, and arp -a have discovered the following.
The Sender of the ARP Reply is always pruporting to be 10.1.1.1
10.1.1.1 is supposed to be the file server on the Network
Approx half the messages have 00-80-c8-b9-f1-c9 as the Sender MAC, the other half are from 00-80-c8-b9-f1-cc (NOTE: only last digit differs !!)
My host PC is 10.1.1.15, and naturally the ARP table changes the MAC associated with 10.1.1.1 each time this message is received
nbtscan (Netbios tracer) links the Server (10.1.1.1) to the first MAC address.
My question is this - Does anyone know the source of the problem ? Does it represent a weakness in the network ? or a feature of the network to which Bullguard is over-reacting ? I don't know enough about networking to answer this myself.
Many thanks, Brian.