[unisog] Arp spoofing attack

Alexander Clouter alex-unisog at digriz.org.uk
Tue Apr 29 16:04:36 GMT 2008


Russell Fulton <r.fulton at auckland.ac.nz> [20080429 18:31:01 +1200]:
> Just a quick heads up.  We had an incident today that took much longer  
> to resolve because no one immediately recognised the symptoms.  Here's  
> hoping that if one of you get hit you will know what it is without  
> having to work it out the hard way like we did.
When things like that start happening we had our core routers grumbling that 
the same MAC address was appearing for two different routes (potential loop) 
on the same VLAN.  This happened as we have each VLAN HSRP'ed and both core 
boxes were getting confused...if I remember correctly (it was 18 months ago).

> Symptoms:
> Service desk started getting reports of web pages with Chinese ads  
> inserted in them.  It rapidly became apparent that just one chunk of  
> our network ( a /20 block) was affected (first clue).   What confused  
> the issue was that the initial reports all complained about pages on  
> our main web site which cause us to misdirect our attention to the  
> content management system.
> [snipped often heard ARP attack, similar to ours, a Cane & Abel job though]
> What happened:
Sounds like there is no RPF[1] configured and/or you are not VLAN'ing 
agressively...at a *guess*.  Also all personal workstation virtual machining 
should be in NAT mode[2].  If you force people into NAT mode now it means:
1. it works over a wireless network
2. port securing becomes possible, which means ARP/IP/MAC/DHCP protection
3. 'easy' to detect by looking at IP TTL's, if you are into that thing

Although Cisco specific I know other vendors support similar things:


It's actually rather good as it is the only non-marketing spiel presentation 
I have stumbled on from Cisco that is more like them begging their customers 
to enable this functionality; as it is available on even their old kit for 
free.  Once enabled, ARP/DHCP/IP/MAC spoofing is difficult if not impossible.

An example of it is on my website if you need a config snippet, however 
there are other examples scattered around, even on the Cisco website:




[1] Reverse Path Filtering
[2] with the opinion that if they need it in bridging mode then obviously 
	they must be providing a service for something which really should be 
	on a server on a static IP address somewhere

/ Better to be nouveau than never to have \
\ been riche at all.                      /
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080429/61fba95c/attachment.bin 

More information about the unisog mailing list