[unisog] Fwd: Arp spoofing attack

Nick Buraglio buraglio at ncsa.edu
Tue Apr 29 19:15:39 GMT 2008


This message must have gotten bounced due to me mucking with my from  
address.....
Anyway, to really make this work, you need to use both port security  
and dhcp snooping.  Something else that is really handy is to pull the  
arp entries from the edge switches and either shove them in a database  
to run foo against to diff them every so often.  This is useful in  
conjunction with a few other things, say, using the data to check  
against hosts that have no reverse DNS or rampant changing or  
ifconfiging of MACs.
It's a little like arpwatch for more than one segment at a time.  Of  
course, the edge switches should log all of this (assuming there is a  
central syslog server) multiple mac stuff.


nb


Begin forwarded message:
> From: Nick Buraglio <buraglio at ncsa.uiuc.edu>
> Date: April 29, 2008 12:05:40 PM CDT
> To: UNIversity Security Operations Group <unisog at lists.dshield.org>
> Subject: Re: [unisog] Arp spoofing attack
>
> As stated, a handy way to stop this kind of thing is to use  
> something like port-security on the edge switches.  I've found that  
> if you couple this with something like dhcp snooping and you've got  
> a pretty robust way to limit a lot of undesirable activity.  I've  
> done this on Cisco gear, I think there are similar mechanisms on  
> other platforms.  Foundry, I believe has similar features, I'm not  
> sure about force10.  The downside is the administrative overhead for  
> changes (which are pretty easily scripted).
>
> nb
>
>
> -- 
> Nick Buraglio
> NCSA/NCDIR
> Phone: 217.244.6428
> GnuPG Key: 0x2E5B44F4
> --
>
> ----- Original Message -----
> From: "Harry Hoffman" <hhoffman at ip-solutions.net>
> To: "UNIversity Security Operations Group" <unisog at lists.dshield.org>
> Sent: Tuesday, April 29, 2008 8:09:56 AM GMT -06:00 US/Canada Central
> Subject: Re: [unisog] Arp spoofing attack
>
> Hi Russell,
>
> Hope all is going well.
>
> You might want to setup arpwatch. We use it on a trunk port to monitor
> all of our vlans for arp spoofing/poisoning.
>
> And if your students are anything like ours they enjoy downloading  
> Cain
> & Abel and having a bit of fun :-(
>
> Cheers,
> Harry
>
>
> On Tue, 2008-04-29 at 18:31 +1200, Russell Fulton wrote:
>
>>
>> What happened:
>>
>> The machine in question was infected with something that used arp
>> spoofing to convince the router to send traffic for many addresses on
>> the network to it rather than to the real machine.  It then mangled
>> web pages by inserting a single line of java script at the start and
>> then passed the traffic on to the intended recipient.
>>
>> Cheers, Russell
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>



More information about the unisog mailing list