asafJct
commented
3 years ago Hii bro This is an intresting question. I eager to see the answer too.
Closed Pratikshresth closed 3 years ago
asafJct
commented
3 years ago Hii bro This is an intresting question. I eager to see the answer too.
yoelbassin
commented
3 years ago Hey, from what I've read, the reason for seeing an incomplete ARP is that an ARP request was sent for an address, but the host with that address is not up and running on the LAN, so there is no reply. In the detection script, if your host receives an arp request from a device, it will create and send a new arp request to this device to check for multiple replies from different devices for one IP request or requests from fake IP addresses. In your case, an attacker imitated a device that isn't currently on the network, so when the algorithm sends an arp request for this IP there are no devices on the LAN that match it.
Please note that this algorithm is only for the detection of arp spoofing attempts and not for prevention.
Pratikshresth
commented
3 years ago So, is this the reason that the leases are being released quickly by the router?
yoelbassin
commented
3 years ago from what I understand, yes IMO
Pratikshresth
commented
3 years ago Thank you soo much for the information. One last question, is there any we can make this code to not release the Lease
yoelbassin
commented
3 years ago Hey Are you talking about the arp spoofing detection tool? Because if so, I'm not quite sure I understand what you mean, the tool shouldn't affect the host - it should only alert (print in that case) if an arp spoofing attack is detected.
Pratikshresth
commented
3 years ago I am soo sorry, but thank you soo much for the explanation. I was supposed to open this issue in the DHCP starvation repo but i accidentally did in this repo. I apologize fo this. I was having problem starvating the dhcp server.
Pratikshresth
commented
3 years ago I am extremely sorry, the question was for the dhcp starvation
Hello brother I was trying out your code with the cisco 3725 router. It successfully starvet the DHCP server but after the attack it gets released very quickly. What might be the problem? In the arp table of cicso router, the generated mac address is shown ad INCOMPLETE. Can you help out with this?