ARP Poisioning Detection
Well, if there are static MAC addresses in server ARP table, there isn't any way how to poison it… about detection: Average programmer or scripter can make an application, which will watch arp table for him and tell him about some changes. This programming is question about 3 minutes so yes, it's easily detectable (but many network admins aren't programmers…)
deathalive wrote: but many network admins aren't programmers…
I know that the question has been answered already, but this statement was something that I had to speak on. Of course, you are absolutely right about netadmins not having the coding experience that would help. In fact, netadmins should be required to have at least a moderate knowledge of scripting languages. Tasks that could easily be replaced by automation compose at least 50% of an admin's job; that time could be used to further the technology that's already there, instead of simply supporting it.
As for the original question… the ideal place to put a MAC spoofing detection method would be on the network switches, as they handle Layer 2 packets. For a "homegrown" solution, however, an IDS system would suffice, too, I'm sure. I would be interested to see a programmatic solution for such tracking / detection; for that matter, the pseudocode would even be of interest.
Hmm, here is a scenario. On big LAN, 100 computers or more. You are the network administrator, and are going to prevent ARP poising attacks on the users. Are there anyway the network administrator can monitor if any of the users are getting ARP poisoned?
I dont know really, but are users ment to send ARP replay packets out to the network? And are ARP replay packets possible to sniff for the network administrator?