Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: ARP cache poisoning

ARP cache poisoning 11 years 3 months ago #9522

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
I just got back from a course on Intrusion Prevention which was pretty enlightening but quite scary. I thought I had at least a rudimentary understanding of network security issues, but was blown away by the current techniques and hacking methods and tools that are currently in use.

One of the issues dealt with is in fact the topic of this post - ARP cache poisoning. I had heard about this before but had never really understood what it meant. The technique was explained and then demonstrated by means of a "Man in the middle" attack using a popular hacking tool. Of course the effectiveness of this technique is mitigated by the fact that it can only be performed at Layer 2 and so cannot get through routers (Layer 3).

Finally to my question. Does anyone know if any solutions have been implemented in switches to counter this kind of attack? I don't mean VLANs or any such network segmentation methods. I mean if you have three PCS connected to a switch which need to speak to each other, have any clever solutions been devised at the switching level to counter ARP cache poisoning.
The administrator has disabled public write access.

Re: ARP cache poisoning 11 years 3 months ago #9524

  • jwj
  • jwj's Avatar
  • Offline
  • Senior Member
  • Posts: 350
  • Karma: 0
You could use port security to allow only one mac address on that port. Just imagine if you had to do this for hundreds or thousands of ports, though? I think 802.1x would be a partial answer, but it still wouldn't stop a bored user from downloading a fun security program and testing it on the network. This would mainly prevent someone from sneaking into your facility, plugging into a wall jack, and off they go. Arpwatch is a program that lets you monitor mac address to ip address mappings, so I think monitoring arpwatch along with the use of 802.1x would be sufficient to minimize the attack.
-Jeremy-
The administrator has disabled public write access.

Re: ARP cache poisoning 11 years 3 months ago #9527

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
I agree with jwj,

ARP poisoning works by 'tricking' the switch and making it think that all MAC addresses are on the port the attacker is plugged into, therefore passing all packets through him and making him the 'man in the middle'.

With port security you can surely limit this effect by allowing one only MAC address to every port. Of course, if another switch happens to uplink to such a port, your in trouble as it will most probably be disabled once more than 1 host is seen through it!

My personal opinion is that port security is a simple but yet effective way of dealing with such attacks.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: ARP cache poisoning 11 years 3 months ago #9528

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Thanks a lot guys. I knew I could count on firewall.cx for an answer!!! I'll have a look at the port security and arpwatch options.
The administrator has disabled public write access.

Re: ARP cache poisoning 11 years 3 months ago #9576

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Further, you should be aware that arp poisoning is an attack not necessarily on the switchs arp table but on the ARP cache of the victim workstation.....

Since arp is a stateless protocol, if I send a forged arp packet to your system with incorrect ip-mac mappings, your system will cache this information, allowing me to divert traffic.

ettercap.sourceforge.net

Arpwatch watches for these 'flip-flops' in IP-MAC mappings..


Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: ARP cache poisoning 11 years 3 months ago #9582

  • ping
  • ping's Avatar
  • Offline
  • Distinguished Member
  • Posts: 181
  • Karma: 0
Just a quick google and found this very good article explaining what is arp cache poisoning and how it affects ??

Here's the link

http://www.watchguard.com/infocenter/editorial/135324.asp
The greatest pleasure in life is doing what people say you can not do..!!
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup