5

This is a shared network with a router and 16 users sharing the internet connection.

Why I think someone is arp spoofing:

Suddenly, since this week, I get disconnects regularly. I cannot access the router under 192.168.1.1 nor any website, getting

DNS_PROBE_FINISHED_BAD_CONFIG

Once I restart the router, it works again.

The connection that are already set up, keep working though. games that I started before, still work, e.g.

http://agar.io/

I have admin access to the router, and tomato is running on it.

My questions

How can I make sure someone is doing arp spoofing?

How can I detect who is doing that?

What can I do against it?

Toskan
  • 153
  • 3
  • 2
    Looks like the problem was on DNS lookup and not related to ARP spoofing. What made you think it is ARP spoofing? – Benny Jun 05 '15 at 00:17
  • I am not an arp spoofing expert. The reasons I was thinking it was because it started to happen after 1 month without a single problem. Then it re-occurred several times. Especially that I could no longer reach 192.168.1.1 made me think, it certainly is not DNS lookup – Toskan Jun 05 '15 at 00:22
  • 2
    I wouldn't jump to the solution that it's arp spoofing; it sounds like a more general network error. Have you tried another device to see if you get similar issues? – tlng05 Jun 05 '15 at 02:20
  • Is this a wireless network? – k1DBLITZ Jun 05 '15 at 12:36
  • it is a wireless network but I am connected over lan. When it occurs, I can disconnect the ethernet cable, i will see the wireless network name, but cannot connect. My phone stops working as well. – Toskan Jun 10 '15 at 00:29

1 Answers1

5

The detect ARP spoofing, you typically capture packets and look for gratuitous ARP advertisements. That way you can also see what device is doing the spoofing.

To defend, you need to configure your device/network with static ARP assignments.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    is there a tool that can help me with that? – Toskan Jun 10 '15 at 00:29
  • @Toskan, XArp offers tools for automated ARP spoofing detection without much additional knowledge required. Packet analysers such as Wireshark can be used for this as well but you need more network security knowledge to interpret the collected data. – LLub Feb 19 '19 at 20:57