[unisog] Arp spoofing attack
Darden, Patrick S.
darden at armc.org
Tue Apr 29 12:27:14 GMT 2008
Classic mitm attack--but new to me is it's use in this kind of scripted
malware. Very sophisticated. Thanks for the heads up!!
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org]On Behalf Of Russell Fulton
Sent: Tuesday, April 29, 2008 2:31 AM
To: UNIversity Security Operations Group
Subject: [unisog] Arp spoofing attack
Just a quick heads up. We had an incident today that took much longer
to resolve because no one immediately recognised the symptoms. Here's
hoping that if one of you get hit you will know what it is without
having to work it out the hard way like we did.
Service desk started getting reports of web pages with Chinese ads
inserted in them. It rapidly became apparent that just one chunk of
our network ( a /20 block) was affected (first clue). What confused
the issue was that the initial reports all complained about pages on
our main web site which cause us to misdirect our attention to the
content management system.
Eventually I realised that the problem was much more wide spread than
just our servers and that web pages from outside were being mangled as
well. My first reaction was some form of malware that was spreading
within the /20 network or that some name server cache had been
deliberately corrupted(It's capping week here ;) and this wasted more
time. Then I found out that all flavours on machines were affected:
Macs, linux and multiple windows versions (second clue).
At this point I decided that it had to be something networks related.
Parallel with this some users were sniffing the network from affected
machines and noticed lots of spurious ARP traffic (final clue). A few
minutes poking with netdisco revealed one mac address with *lots* of
IPs associated with it. Disabling its switch port solved the problem.
If I had thought of arp spoofing at 10am in the morning when I first
heard about it we could have dealt with the problem in a few minutes,
as it was we wasted many man hours before the penny dropped.
The machine in question had just returned from a conference in China
-- it was fully patched but had no AV. It was a privately owned
laptop on the network without AV in contravention of policy. Sigh...
Oh yes, a Japanese version of windows...
The machine in question was infected with something that used arp
spoofing to convince the router to send traffic for many addresses on
the network to it rather than to the real machine. It then mangled
web pages by inserting a single line of java script at the start and
then passed the traffic on to the intended recipient.
unisog mailing list
unisog at lists.dshield.org
More information about the unisog