After arpwatch ran a while, determined that many IPs were
being announced with the MAC 00:05:DD:69:14:07, including the router;
when the router subsequently flip-flopped to the very similar MAC
00:05:DD:67:14:07, a 'battle' would ensue with multiple flip-flops,
about 3 per second. I believe, but am not positive,
that the real MAC of the router is 00:05:DD:69:14:07, because I tested
various connects with lynx to google.com, etc, with 'arp' reporting this
as the MAC, and connectivity was not impaired. However, it's possible
that either somebody is proxying or I'm simply wrong.
Installed 'nemesis' with the intention of attempting a DOS
attack against 00:05:DD:67:14:07. At this point a member of phantomd
walked in, meaning there were people on both sides of me, so I switched
to something else. Configured snort for syslog output and
enabled the arpspoof preprocessor with only our IP and MAC, since I'm
not absolutely positive of anybody else's MAC. This didn't appear
to give any results after a couple minutes, and that plus the fact
that the vast majority of arpwatch output is noting flip-flops in the
router's MAC, plus the plainly visible output on the screen of morris,
leads me to believe that it's possible that we are the target of a
(unicast?) ARP poisoning attack in which the attacker wishes our
machine alone to believe the router is it. Still not sure on this
though, but it would make sense because we are on top in points.
Constructed a crude DOS attack against 00:05:DD:67:14:07, a
shell script to run nemesis endlessly to inject a TCP SYN packet aimed
at port 22 allegedly from ago's IP and an unused MAC. After testing
this a bit and looking at the arpwatch logs, I had a 'duh' moment
when I realized the other machines having flip-flops reported were
all flip-flopping to/from 00:05:DD:69:14:07. It would make sense that
that is the fake MAC, so retooled flood.sh to blast SYN packets on port
22 at that address. Sadly, initial testing revealed no effect on the
frequency of the router flip-flops reported by arpwatch, leading me to
believe that this approach is ineffective against our mystery attacker.
It should be noted that about 2 minutes after I started flood.sh,
a member of phantomd burst into the lab and started checking things
out on his machine. That machine also seemed to have the most hard
drive activity during the attempted DOS. |