Re: Solution to ARP spoofing on 3560 and 2960 switches please

Discussion in 'Cisco' started by News Reader, Apr 9, 2008.

  1. News Reader

    News Reader Guest

    Sanal Kisi wrote:
    > Hi,
    >
    > We have a Cisco6500 as the backbone and a 3560 as router in each of
    > the edges (buildings). Connected to 3560's there are 2960's. Each of
    > the buildings have their own VLAN/subnets.
    >
    > Recently we found out that infected PC's in every building are sending
    > strange ARP packets and announcing themselves as the gateway of the
    > subnet/VLAN. As a result, instead of using the real gateway (the 3560)
    > all the other users start communicating with the infected PC thinking
    > it is the gateway.
    >
    > With this strategy, the infected PC serves as the gateway when
    > communicting with the normal PC's but also injecting extra
    > virus/infections when providing data to them.
    >
    > I have found that this operation is called Address Resolution Protocol
    > (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
    > (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
    >
    > As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
    > (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
    > that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
    >
    > I want to believe and hope that there is a solution available to this
    > problem which affects our thousands of users.
    >
    > Regards.
    >
    >


    Port Security may not address this specific issue. Although I haven't
    confirmed it, I suspect the infected system will send the ARP packets
    with its own MAC address in the frame, and only alter the "Sender MAC
    Address" in the ARP header. If this were the case, a Port Security
    violation would probably not be triggered.

    Perhaps you could use a logon script that installs a permanent ARP entry
    on the PCs. The logon script would be centrally managed on the Server,
    and could quickly be amended if a default gateway was replaced (i.e.:
    change to the gateway MAC).

    ARPs containing bogus MAC/IP mappings for the default gateway would then
    be ignored by the PCs.

    Best Regards,
    News Reader
     
    News Reader, Apr 9, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ned
    Replies:
    3
    Views:
    16,141
  2. Trendkill
    Replies:
    7
    Views:
    1,400
  3. Paul Matthews
    Replies:
    0
    Views:
    490
    Paul Matthews
    Apr 9, 2008
  4. News Reader
    Replies:
    0
    Views:
    554
    News Reader
    Apr 10, 2008
  5. Replies:
    0
    Views:
    410
Loading...

Share This Page