Skip to main content

ARP cache poisoning

More
19 years 3 months ago #9522 by DaLight
ARP cache poisoning was created by DaLight
I just got back from a course on Intrusion Prevention which was pretty enlightening but quite scary. I thought I had at least a rudimentary understanding of network security issues, but was blown away by the current techniques and hacking methods and tools that are currently in use.

One of the issues dealt with is in fact the topic of this post - ARP cache poisoning. I had heard about this before but had never really understood what it meant. The technique was explained and then demonstrated by means of a "Man in the middle" attack using a popular hacking tool. Of course the effectiveness of this technique is mitigated by the fact that it can only be performed at Layer 2 and so cannot get through routers (Layer 3).

Finally to my question. Does anyone know if any solutions have been implemented in switches to counter this kind of attack? I don't mean VLANs or any such network segmentation methods. I mean if you have three PCS connected to a switch which need to speak to each other, have any clever solutions been devised at the switching level to counter ARP cache poisoning.
More
19 years 3 months ago #9524 by jwj
Replied by jwj on topic Re: ARP cache poisoning
You could use port security to allow only one mac address on that port. Just imagine if you had to do this for hundreds or thousands of ports, though? I think 802.1x would be a partial answer, but it still wouldn't stop a bored user from downloading a fun security program and testing it on the network. This would mainly prevent someone from sneaking into your facility, plugging into a wall jack, and off they go. Arpwatch is a program that lets you monitor mac address to ip address mappings, so I think monitoring arpwatch along with the use of 802.1x would be sufficient to minimize the attack.

-Jeremy-
More
19 years 3 months ago #9527 by Chris
Replied by Chris on topic Re: ARP cache poisoning
I agree with jwj,

ARP poisoning works by 'tricking' the switch and making it think that all MAC addresses are on the port the attacker is plugged into, therefore passing all packets through him and making him the 'man in the middle'.

With port security you can surely limit this effect by allowing one only MAC address to every port. Of course, if another switch happens to uplink to such a port, your in trouble as it will most probably be disabled once more than 1 host is seen through it!

My personal opinion is that port security is a simple but yet effective way of dealing with such attacks.

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
19 years 3 months ago #9528 by DaLight
Replied by DaLight on topic Re: ARP cache poisoning
Thanks a lot guys. I knew I could count on firewall.cx for an answer!!! I'll have a look at the port security and arpwatch options.
More
19 years 3 months ago #9576 by sahirh
Replied by sahirh on topic Re: ARP cache poisoning
Further, you should be aware that arp poisoning is an attack not necessarily on the switchs arp table but on the ARP cache of the victim workstation.....

Since arp is a stateless protocol, if I send a forged arp packet to your system with incorrect ip-mac mappings, your system will cache this information, allowing me to divert traffic.

ettercap.sourceforge.net

Arpwatch watches for these 'flip-flops' in IP-MAC mappings..


Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
19 years 3 months ago #9582 by ping
Replied by ping on topic Re: ARP cache poisoning
Just a quick google and found this very good article explaining what is arp cache poisoning and how it affects ??

Here's the link

www.watchguard.com/infocenter/editorial/135324.asp

The greatest pleasure in life is doing what people say you can not do..!!
Time to create page: 0.136 seconds