myhexhax wrote:True, it's easy to detect (relatively), as long as you have a monitoring program/IDS running, or utilize DHCP snooping. Remember that valid ARP entries will change too, like when a client disconnects and connects, and in turn is assigned a new IP address. You can also just have a static ARP cache/IP-MAC mapping and not allow changes to it, but this only works in non-DHCP environments. Unfortunately I have rarely seen any sort of ARP poisoning detection/prevention deployed in any environment I have worked in, including enterprise and corporate.
NO WAYYYYYYY !!!! No ARP WATCHING software was deployed ??? That sounds like a REALLY BAD POLICY or simply someone is REALLY LAZY !!!! I GOT NO CLUE !!! Well, I'm still a student and haven't really worked on any big scale network (what a surprise) but even I know that some level of security has to be in place otherwise your employees will take you down (internal attacks are the most common from what I've read and heard till now). I'm working on a simple tool now that does a simple version of MITM attack and does a DoS attack (and other few things). U can have a look at my website and try it out - still I need to work on it properly, but works. Anyway, I can't imagine a network without any protection.. it becomes a jungle then... grrrrrr