Prev: 802.1x with ACS and Third Party Switch
Next: PIX 515E remote access vpn with DHCP pushed to the client
From: Sanal Kisi on 8 Apr 2008 10:54
Hi,

We have a Cisco6500 as the backbone and a 3560 as router in each of
the edges (buildings). Connected to 3560's there are 2960's. Each of
the buildings have their own VLAN/subnets.

Recently we found out that infected PC's in every building are sending
strange ARP packets and announcing themselves as the gateway of the
subnet/VLAN. As a result, instead of using the real gateway (the 3560)
all the other users start communicating with the infected PC thinking
it is the gateway.

With this strategy, the infected PC serves as the gateway when
communicting with the normal PC's but also injecting extra
virus/infections when providing data to them.

I have found that this operation is called Address Resolution Protocol
(ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
(APR). (http://en.wikipedia.org/wiki/ARP_spoofing).

As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
(http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
that, 3560's support "Dynamic ARP Inspection" but not the 2960's.

I want to believe and hope that there is a solution available to this
problem which affects our thousands of users.

Regards.


From: Trendkill on 8 Apr 2008 11:43
On Apr 8, 10:54 am, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
> Hi,
>
> We have a Cisco6500 as the backbone and a 3560 as router in each of
> the edges (buildings). Connected to 3560's there are 2960's. Each of
> the buildings have their own VLAN/subnets.
>
> Recently we found out that infected PC's in every building are sending
> strange ARP packets and announcing themselves as the gateway of the
> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> all the other users start communicating with the infected PC thinking
> it is the gateway.
>
> With this strategy, the infected PC serves as the gateway when
> communicting with the normal PC's but also injecting extra
> virus/infections when providing data to them.
>
> I have found that this operation is called Address Resolution Protocol
> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> I want to believe and hope that there is a solution available to this
> problem which affects our thousands of users.
>
> Regards.

Run a sniffer, and disable any port with a machine that is responding
to an ARP for the gateway address until that machine is fully
remediated.
From: Merv on 8 Apr 2008 12:23

> > I have found that this operation is called Address Resolution Protocol
> > (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> > (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).

> > I want to believe and hope that there is a solution available to this
> > problem which affects our thousands of users.

You might want to take a look at port security - i.e enfroce 1 MAC
address per end-user port

Also look at see if the 2960 support the mac-move notification feature
along with perhaps the mac-address secure feature

From: Sanal Kisi on 8 Apr 2008 12:26
Hi,

This is what I have been doing since the problem arouse. But in a
network like ours, with tens of buildings/subnets and thousands of
users, I'll need around 25-30 network specialist to monitor and cure
all the infections 7/24.

I hope there is a better and practical aprroach.

Thanks for the answer anyway.


On Tue, 8 Apr 2008 08:43:44 -0700 (PDT), Trendkill <jpmason(a)gmail.com>
wrote:

>On Apr 8, 10:54 am, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
>> Hi,
>>
>> We have a Cisco6500 as the backbone and a 3560 as router in each of
>> the edges (buildings). Connected to 3560's there are 2960's. Each of
>> the buildings have their own VLAN/subnets.
>>
>> Recently we found out that infected PC's in every building are sending
>> strange ARP packets and announcing themselves as the gateway of the
>> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
>> all the other users start communicating with the infected PC thinking
>> it is the gateway.
>>
>> With this strategy, the infected PC serves as the gateway when
>> communicting with the normal PC's but also injecting extra
>> virus/infections when providing data to them.
>>
>> I have found that this operation is called Address Resolution Protocol
>> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
>> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>>
>> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
>> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
>> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>>
>> I want to believe and hope that there is a solution available to this
>> problem which affects our thousands of users.
>>
>> Regards.
>
>Run a sniffer, and disable any port with a machine that is responding
>to an ARP for the gateway address until that machine is fully
>remediated.
From: Merv on 8 Apr 2008 12:40
On Apr 8, 12:26 pm, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
> Hi,
>
> This is what I have been doing since the problem arouse. But in a
> network like ours, with tens of buildings/subnets and thousands of
> users, I'll need around 25-30 network specialist to monitor and cure
> all the infections 7/24.
>
> I hope there is a better and practical aprroach.
>
> Thanks for the answer anyway.
>
> On Tue, 8 Apr 2008 08:43:44 -0700 (PDT), Trendkill <jpma...(a)gmail.com>
> wrote:
>
> >On Apr 8, 10:54 am, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
> >> Hi,
>
> >> We have a Cisco6500 as the backbone and a 3560 as router in each of
> >> the edges (buildings). Connected to 3560's there are 2960's. Each of
> >> the buildings have their own VLAN/subnets.
>
> >> Recently we found out that infected PC's in every building are sending
> >> strange ARP packets and announcing themselves as the gateway of the
> >> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> >> all the other users start communicating with the infected PC thinking
> >> it is the gateway.
>
> >> With this strategy, the infected PC serves as the gateway when
> >> communicting with the normal PC's but also injecting extra
> >> virus/infections when providing data to them.
>
> >> I have found that this operation is called Address Resolution Protocol
> >> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> >> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> >> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> >> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> >> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> >> I want to believe and hope that there is a solution available to this
> >> problem which affects our thousands of users.
>
> >> Regards.
>
> >Run a sniffer, and disable any port with a machine that is responding
> >to an ARP for the gateway address until that machine is fully
> >remediated.


Perhaps you might want to investigate Network Admission Control
 |  Next  |  Last
Pages: 1 2 3
Prev: 802.1x with ACS and Third Party Switch
Next: PIX 515E remote access vpn with DHCP pushed to the client