cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
1
Replies

Potential ARP Cache Poisoning

gregwoodson
Level 1
Level 1

One of our windows servers was compromised, causing us to start having ARP cache issues. The switch port that that machine was on is now off. We are still (slowly) getting this error:

Jun 4 18:17:54 CDT: %IP-4-ZERO_ADDR: Zero MAC address for 10.1.0.1 in ARP cache

But the interfaces to which they show up are only interfaces on the router itself. We have configured Snort to try to resolve some of these issues, but do not know where to look when the interfaces that are listed are only the ones on the router itself.

1 Reply 1

gregwoodson
Level 1
Level 1

An update. I've discovered that the MAC address on the port channel on this router truly IS coming up all zeros. And the ARP cache on the switch it is connected to says the same thing. in the show interface on that port channel on the router- it shows:

Port-channel1 is up, line protocol is up

Hardware is FEChannel, address is 0000.0000.0000 (bia 0050.739f.6500)

What can cause the port channel's mac address to basically disappear?