[unisog] Arp Spoofing

Russell Fulton r.fulton at auckland.ac.nz
Tue Apr 29 21:32:53 GMT 2008

On 30/04/2008, at 6:47 AM, Kyle Evans wrote:

> I don't think port security will mitigate arp spoofing/arp  
> poisoning.  My understanding is that the attack is executed with  
> still only one mac address on the port.  The machine performing the  
> attack sends out gratuitious arp replies to fool the router into  
> thinking a certain ip address or addresses belong to its mac  
> address.  It also sends gratuitous arp replies to the other machines  
> on the network fooling them into thinking that its mac address is  
> the mac address of their default gateway.

That is exactly what happened here and yes we already use the port  
security options so that, by default, you can only have one MAC per  
port.  I know I have a switch in my office and I remember the network  
guys muttering darkly because the had to reconfigure the port and they  
interrogated me about how may MACs i would have.  I was very vague ;)

> My understanding is (for cisco switches at least) you need to  
> implement Dynamic ARP Inspection (DAI) to mitigate arp poisoning.   
> Also, DAI relies upon DHCP snooping, so you must also have that  
> enabled.
This rings a bell.  I saw this stuff in the docs for the VOIP network  
and assumed that we had it on the data network too.


More information about the unisog mailing list