[unisog] Arp Spoofing

Paul FM paulfm at me.umn.edu
Wed Apr 30 01:37:48 GMT 2008


Go back 5 posts (Kyle Evans).
There is a link to a Cisco Document which explains exactly what you need to 
protect against Arp Spoofing (Old cisco switches / routers don't support all 
these options).


Russell Fulton wrote:
> On 30/04/2008, at 6:47 AM, Kyle Evans wrote:
> 
>> I don't think port security will mitigate arp spoofing/arp  
>> poisoning.  My understanding is that the attack is executed with  
>> still only one mac address on the port.  The machine performing the  
>> attack sends out gratuitious arp replies to fool the router into  
>> thinking a certain ip address or addresses belong to its mac  
>> address.  It also sends gratuitous arp replies to the other machines  
>> on the network fooling them into thinking that its mac address is  
>> the mac address of their default gateway.
> 
> That is exactly what happened here and yes we already use the port  
> security options so that, by default, you can only have one MAC per  
> port.  I know I have a switch in my office and I remember the network  
> guys muttering darkly because the had to reconfigure the port and they  
> interrogated me about how may MACs i would have.  I was very vague ;)
> 
>>
>> My understanding is (for cisco switches at least) you need to  
>> implement Dynamic ARP Inspection (DAI) to mitigate arp poisoning.   
>> Also, DAI relies upon DHCP snooping, so you must also have that  
>> enabled.
>>
> This rings a bell.  I saw this stuff in the docs for the VOIP network  
> and assumed that we had it on the data network too.
> 
> Russell
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list