Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Solution to ARP spoofing on 3560 and 2960 switches please

Reply
Thread Tools

Re: Solution to ARP spoofing on 3560 and 2960 switches please

 
 
News Reader
Guest
Posts: n/a
 
      04-09-2008
Sanal Kisi wrote:
> Hi,
>
> We have a Cisco6500 as the backbone and a 3560 as router in each of
> the edges (buildings). Connected to 3560's there are 2960's. Each of
> the buildings have their own VLAN/subnets.
>
> Recently we found out that infected PC's in every building are sending
> strange ARP packets and announcing themselves as the gateway of the
> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> all the other users start communicating with the infected PC thinking
> it is the gateway.
>
> With this strategy, the infected PC serves as the gateway when
> communicting with the normal PC's but also injecting extra
> virus/infections when providing data to them.
>
> I have found that this operation is called Address Resolution Protocol
> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> I want to believe and hope that there is a solution available to this
> problem which affects our thousands of users.
>
> Regards.
>
>


Port Security may not address this specific issue. Although I haven't
confirmed it, I suspect the infected system will send the ARP packets
with its own MAC address in the frame, and only alter the "Sender MAC
Address" in the ARP header. If this were the case, a Port Security
violation would probably not be triggered.

Perhaps you could use a logon script that installs a permanent ARP entry
on the PCs. The logon script would be centrally managed on the Server,
and could quickly be amended if a default gateway was replaced (i.e.:
change to the gateway MAC).

ARPs containing bogus MAC/IP mappings for the default gateway would then
be ignored by the PCs.

Best Regards,
News Reader
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Solution to ARP spoofing on 3560 and 2960 switches please Muffelmampf@googlemail.com Cisco 0 04-20-2008 05:37 PM
Re: Solution to ARP spoofing on 3560 and 2960 switches please News Reader Cisco 0 04-10-2008 06:17 PM
Re: Solution to ARP spoofing on 3560 and 2960 switches please Paul Matthews Cisco 0 04-09-2008 07:46 PM
Re: Solution to ARP spoofing on 3560 and 2960 switches please Trendkill Cisco 7 04-09-2008 03:50 PM
2960 (layer 2) vs 3560 (layer 3) ...considerations? Ned Cisco 3 09-15-2006 05:55 PM



Advertisments