We’ve got an ongoing drawback on our company community that does not match any sample I am conversant in. It’s a type of ARP poisoning, however not “constructive” in any manner that I can see (even for a malicious agent).
At any given second, roughly 20% of the energetic IP addresses on our main company LAN get further ARP responses from the MAC deal with of different hosts on the community. Over time, almost 2/3 of our IP addresses are behaving this fashion intermittently.
The offending IP addresses are altering continually. There isn’t a sample within the sorts of host concerned, it may be laptops, tablets, good telephones/watches, and so forth. It “appears” like they’re randomly answering ARP requests for one another.
I do not consider the offending units are literally configured with these IP’s b/c they by no means reply to something on the IP stage.
This began out as an obvious duplicate IP deal with situation. Nevertheless, we have decided with Wireshark that there isn’t a rogue DHCP server on our community – the offending replies come from present MAC addresses which have one other DHCP deal with already. None of those units ever reply constructively to a couple of IP deal with at any given time.
I am utilizing arp-scan and wireshark/tcpdump to do that evaluation. I’ve executed it manually from a MacBook with WireShark, and I can see each ARP replies. Generally there are 3-4 MACs responding to the identical IP ARP. Typically one there can be two replies from a specific MAC, however not all the time. I am additionally operating arp-scan on a schedule and capturing the outcomes to investigate the general proliferation of the issue.
I am leaning in the direction of the concept that that is both a non-malicious software or a community misconfiguration, b/c I can not see the profit to even a hacker of spoofing ARP replies from arbitrary MACs apart from DOS, and the frequency and period are too low to be an efficient DOS.