We have a odd situation on one of our subnets. People will phone up and complain about a slow connection. I will go out a few hours later and get full speed on the LAN but in the hotspot (hosts) tab there is always 1 machine that has our Gateway and DNS servers listed assigned to its own MAC address but with an idle time of 1-2 hours ago. Im pretty sure its a virus thats doing this but the customer claims to have been to the PC shop and the university, both have not found a virus? Has anyone seen this happen on their network and is there any way of guarding against it? Help! Jon
That’s effectively - regardless of what is the root cause: a virus, or accidental misconfiguration - an ARP poisoning attack. You have to protect against that on the switchport level (could be an uplink to an AP), you can’t defend against that on the router. Cisco calls their solution “dynamic ARP inspection”, where switches learn IP-MAC address relationships by snooping DHCP traffic and also pulling in static configuration. When a host starts replying to ARP (or starts announcing via RARP) mappings that it shouldn’t the switch shuts down the port. On an AP uplink that can of course affect service for other connected users. Other vendors have similar solutions.
Thanks for your reply. Is there a way of using a mikrotik RB493 or something and have that detect and block the bogus announcements if its 1 client per port? The house in question only has 8 rooms? Thanks. Jon