My Windows 2008 server started a TCP session talking to one destination mac address, but in the middle of the TCP session started sending packets to another destination mac address and then eventually switched back. Any thoughts/ideas on what could cause this? Both the sending server and the destination host are on the same subnet. The issue appears to be resolved when I set static ARP entries for the IP on the server.
Asked
Active
Viewed 138 times
1
-
You say the issue resolves when you set static ARP entries... this indicates that the TCP session is causing the server to re-request(?) the IP address of the destination machine by sending an ARP broadcast for it's IP address... that's what it sounds like anyway :) What is this 'other' destination MAC address it sends packets to? – emtunc May 03 '11 at 14:58
-
How about an ICMP redirect? What type of service was it connecting to? Was it a web server? If so, did the web server perform an HTTP redirect? – joeqwerty May 03 '11 at 17:12
-
@emtunc The other destination mac is the default gw which doesn't make sense considering that the intended destination is on the same subnet. – Mike B May 04 '11 at 00:04
-
@joeqwerty SMTP traffic. – Mike B May 04 '11 at 00:04
1 Answers
3
This could be an ARP spoofing followed by a Man In The Middle attack on your LAN.
In this scenario, an attacker would send spoofed ARP replies to both your server and the destination host, poisoning machines' ARP tables and forcing them to send all their traffic through a host of attacker's choice on the local network segment. If that host had IP forwarding (or ethernet bridging) enabled, after it was done with eavesdropping, recording or modifying it, it would route the IP traffic to its final destination without any connectivity loss or whatsoever.
After the completion of the attack, the attacker would send ARP replies with the "legitimate"/initial MAC addresses to the machines that were involved, restoring the ARP table entries, like nothing happened.
dkaragasidis
- 745
- 4
- 11