If an attacker on the network attempts to use ARP poisoning (spoofing) in order to redirect traffic to his own machine, what mechanisms and techniques are available for tracking the spoofed ARP messages to their source?
Are these techniques effective even when the attacking machine is using a spoofed MAC address (a likely scenario)?
According to my research on the subject, and running tests there are no quick fixes for tracking the source individual perpetrating this type of attack because of the nature of it. Meaning tracking, but not filtering/blocking. The attack method itself is basically easy to do compared to the scale of other types of attacks out there due to fundamental flaws in network hardware. There are however methods of blocking or tracking (in part) and ways to narrow down the search for an attacker.
One such tool called arpwatch (http://www.securityfocus.com/tools/142) that scans for changes in IP and MAC address then delivers an alert when found. There is a SUSE article on using the tool here: https://www.suse.com/communities/conversations/detecting-arp-poisoning-attacks/
The check into DHCP Snooping and DAI (Dynamic ARP Inspection): http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
Izam is right, it is much easier to detect ARP poisoning than it is to target the attacker. The methods used most often find it when it occurs, or are focused on prevention. Wireshark describes a method of finding a starting point 'for investigation': http://searchsecurity.techtarget.com/video/How-to-use-Wireshark-to-detect-and-prevent-ARP-spoofing
ArpPoisoning.com offers a couple of scripts you run when you log into a server you have concern may be a target. http://www.arppoisoning.com/best-practices-for-defending-against-arp-poisoning-2/ One for linux: https://github.com/alan-reed/ARP-Defense and one for Windows based machines: https://github.com/alan-reed/ARP-Defense/blob/master/defendAPR.bat
The 2 scripts attempt to track the ARP table and compare it live as you are connected, and attempt to repair the ARP table as it is happening.
Another step would be to attempt triangulation (or trilateration) to target the attacker's physical location between multiple access points.
If you have multiple access points, then you have the opportunity when you find the one that is getting the highest level of ARP request traffic, and then by checking the signal strength pinpoint the location of an originating machine.
A security application by Aruba Networks uses triangulation to attempt to locate problems on the network as 'interference sources'. Interestingly enough, they have the same trick in reverse, using ARP poisoning as a defensive weapon: if an 'interference source' is detected it attempts to poison the ARP of the port of the switch used by it and kill its access to the network (page 19 here): http://www.arubanetworks.com/pdf/technology/TB_ProtectTheAir.pdf
Granted I do not have access to a network protected by this automated and multifaceted defensive structure but I would be interested to see how well and how quickly it takes out threats like ARP attacks. Being that it defends against specific points as they are compromised, an assertion could be made that it would give a good general direction in the real environment to look for a physical attacker.
For small networks, it would be better to filter out bad ARP requests and set fixed IP & MAC connections where possible. Then it is much easier to track with fewer connections.
You may also want to check out IronGeek's ARPFreeze tool: http://www.irongeek.com/i.php?page=security/arpfreeze-static-arp-poisoning
