Solution to ARP spoofing on 3560 and 2960 switches please

Solution to ARP spoofing on 3560 and 2960 switches please
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Solution to ARP spoofing on 3560 and 2960 switches please Sanal Kisi 04-08-2008
Posted by Sanal Kisi on April 8, 2008, 10:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

We have a Cisco6500 as the backbone and a 3560 as router in each of
the edges (buildings). Connected to 3560's there are 2960's. Each of
the buildings have their own VLAN/subnets.

Recently we found out that infected PC's in every building are sending
strange ARP packets and announcing themselves as the gateway of the
subnet/VLAN. As a result, instead of using the real gateway (the 3560)
all the other users start communicating with the infected PC thinking
it is the gateway.

With this strategy, the infected PC serves as the gateway when
communicting with the normal PC's but also injecting extra
virus/infections when providing data to them.

I have found that this operation is called Address Resolution Protocol
(ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
(APR). (http://en.wikipedia.org/wiki/ARP_spoofing).

As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
(http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
that, 3560's support "Dynamic ARP Inspection" but not the 2960's.

I want to believe and hope that there is a solution available to this
problem which affects our thousands of users.

Regards.



Posted by Trendkill on April 8, 2008, 11:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> We have a Cisco6500 as the backbone and a 3560 as router in each of
> the edges (buildings). Connected to 3560's there are 2960's. Each of
> the buildings have their own VLAN/subnets.
>
> Recently we found out that infected PC's in every building are sending
> strange ARP packets and announcing themselves as the gateway of the
> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> all the other users start communicating with the infected PC thinking
> it is the gateway.
>
> With this strategy, the infected PC serves as the gateway when
> communicting with the normal PC's but also injecting extra
> virus/infections when providing data to them.
>
> I have found that this operation is called Address Resolution Protocol
> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> I want to believe and hope that there is a solution available to this
> problem which affects our thousands of users.
>
> Regards.

Run a sniffer, and disable any port with a machine that is responding
to an ARP for the gateway address until that machine is fully
remediated.

Posted by Merv on April 8, 2008, 12:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> > I have found that this operation is called Address Resolution Protocol
> > (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> > (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).

> > I want to believe and hope that there is a solution available to this
> > problem which affects our thousands of users.

You might want to take a look at port security - i.e enfroce 1 MAC
address per end-user port

Also look at see if the 2960 support the mac-move notification feature
along with perhaps the mac-address secure feature


Posted by Merv on April 9, 2008, 11:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options


and what about set secure mac address for gateway MAC address on 2960
switches ?


Posted by News Reader on April 9, 2008, 11:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sanal Kisi wrote:
> Hi,
>
> We have a Cisco6500 as the backbone and a 3560 as router in each of
> the edges (buildings). Connected to 3560's there are 2960's. Each of
> the buildings have their own VLAN/subnets.
>
> Recently we found out that infected PC's in every building are sending
> strange ARP packets and announcing themselves as the gateway of the
> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> all the other users start communicating with the infected PC thinking
> it is the gateway.
>
> With this strategy, the infected PC serves as the gateway when
> communicting with the normal PC's but also injecting extra
> virus/infections when providing data to them.
>
> I have found that this operation is called Address Resolution Protocol
> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> I want to believe and hope that there is a solution available to this
> problem which affects our thousands of users.
>
> Regards.
>
>

Port Security may not address this specific issue. Although I haven't
confirmed it, I suspect the infected system will send the ARP packets
with its own MAC address in the frame, and only alter the "Sender MAC
Address" in the ARP header. If this were the case, a Port Security
violation would probably not be triggered.

Perhaps you could use a logon script that installs a permanent ARP entry
on the PCs. The logon script would be centrally managed on the Server,
and could quickly be amended if a default gateway was replaced (i.e.:
change to the gateway MAC).

ARPs containing bogus MAC/IP mappings for the default gateway would then
be ignored by the PCs.

Best Regards,
News Reader

Similar ThreadsPosted
WTS :Cisco switch 2960 2960G 3560 3560G 3750 3750G November 27, 2007, 4:38 am
Cisco switch 2960 2960G 3560 3560G 3750 3750G January 11, 2008, 5:00 am
dhcp problem on 2960 switches April 2, 2008, 11:29 am
IP Routing Question on 3560 Switches April 11, 2007, 11:03 am
Trunking 3560 switches over a bridged LAN September 20, 2007, 6:17 pm
Routing between office and datacentre using 3560 switches February 21, 2006, 12:22 pm
daisy-chaining 3548 and 3560 switches April 11, 2006, 3:16 pm
Catalyst 3560 causing switches to freeze? May 8, 2006, 4:21 pm
2960 (layer 2) vs 3560 (layer 3) ...considerations? September 15, 2006, 9:22 am
★★★sell switch 2960 2960G 3560 3560G 3750 3750G January 1, 2008, 10:25 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map