[unisog] Arp Spoofing

Paul FM paulfm at me.umn.edu
Wed Apr 30 01:37:48 GMT 2008

Go back 5 posts (Kyle Evans).
There is a link to a Cisco Document which explains exactly what you need to 
protect against Arp Spoofing (Old cisco switches / routers don't support all 
these options).

Russell Fulton wrote:
> On 30/04/2008, at 6:47 AM, Kyle Evans wrote:
>> I don't think port security will mitigate arp spoofing/arp  
>> poisoning.  My understanding is that the attack is executed with  
>> still only one mac address on the port.  The machine performing the  
>> attack sends out gratuitious arp replies to fool the router into  
>> thinking a certain ip address or addresses belong to its mac  
>> address.  It also sends gratuitous arp replies to the other machines  
>> on the network fooling them into thinking that its mac address is  
>> the mac address of their default gateway.
> That is exactly what happened here and yes we already use the port  
> security options so that, by default, you can only have one MAC per  
> port.  I know I have a switch in my office and I remember the network  
> guys muttering darkly because the had to reconfigure the port and they  
> interrogated me about how may MACs i would have.  I was very vague ;)
>> My understanding is (for cisco switches at least) you need to  
>> implement Dynamic ARP Inspection (DAI) to mitigate arp poisoning.   
>> Also, DAI relies upon DHCP snooping, so you must also have that  
>> enabled.
> This rings a bell.  I saw this stuff in the docs for the VOIP network  
> and assumed that we had it on the data network too.
> Russell
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list