[unisog] Arp spoofing attack

rackow at mcs.anl.gov rackow at mcs.anl.gov
Tue Apr 29 10:58:33 GMT 2008


You are not alone in seeing this kind of activity.  It seems
a methodology that is getting a resurgance in popularity.

Another clue that we had was that the other machines on
the subnet were popping up alerts from the AV system when
visiting web pages.  We too spent time thinking this was
a virus outbreak on the subnet.  Once we dumped the arp
cache/cam table from the router it became clear it was
poisoned.  In this case the system did have an AV product
installed, but for some reason it stopped getting signature
updates about 40 days earlier.  The malware would have
been detected/stopped if it was up to date.


Russell Fulton made the following keystrokes:
 >Just a quick heads up.  We had an incident today that took much longer  
 >to resolve because no one immediately recognised the symptoms.  Here's  
 >hoping that if one of you get hit you will know what it is without  
 >having to work it out the hard way like we did.
 >
 >Symptoms:
 >
 >Service desk started getting reports of web pages with Chinese ads  
 >inserted in them.  It rapidly became apparent that just one chunk of  
 >our network ( a /20 block) was affected (first clue).   What confused  
 >the issue was that the initial reports all complained about pages on  
 >our main web site which cause us to misdirect our attention to the  
 >content management system.
 >
 >Eventually I realised that the problem was much more wide spread than  
 >just our servers and that web pages from outside were being mangled as  
 >well.  My first reaction was some form of malware that was spreading  
 >within the /20 network or that some name server cache had been  
 >deliberately corrupted(It's capping week here ;) and this wasted more  
 >time.  Then I found out that all flavours on machines were affected:   
 >Macs, linux and multiple windows versions (second clue).
 >
 >At this point I decided that it had to be something networks related.   
 >Parallel with this some users were sniffing the network from affected  
 >machines and noticed lots of spurious ARP traffic (final clue).  A few  
 >minutes poking with netdisco revealed one mac address with *lots* of  
 >IPs associated with it.  Disabling its switch port solved the problem.
 >
 >If I had thought of arp spoofing at 10am in the morning when I first  
 >heard about it we could have dealt with the problem in a few minutes,  
 >as it was we wasted many man hours before the penny dropped.
 >
 >The machine in question had just returned from a conference in China  
 >-- it was fully patched but had no AV.  It was a privately owned  
 >laptop on the network without AV in contravention of policy.  Sigh...   
 >Oh yes, a Japanese version of windows...
 >
 >What happened:
 >
 >The machine in question was infected with something that used arp  
 >spoofing to convince the router to send traffic for many addresses on  
 >the network to it rather than to the real machine.  It then mangled  
 >web pages by inserting a single line of java script at the start and  
 >then passed the traffic on to the intended recipient.
 >
 >Cheers, Russell 
 >_______________________________________________
 >unisog mailing list
 >unisog at lists.dshield.org
 >https://lists.sans.org/mailman/listinfo/unisog


More information about the unisog mailing list