All Along the ARP Tower!

Published: 2011-09-28
Last Updated: 2011-09-28 16:03:04 UTC
by Richard Porter (Version: 1)
4 comment(s)

Address Resolution protocol [1] in IPv4 is a method in which 48 bit ethernet addresses are matched up with network addresses. We cover many things here on the Storm Center, and lately Man in the Middle has come up often. One of the ways that Man in the middle can be achieved is via ARP Cache poisoning.

Wait, that sounds like a very old method? Shouldn’t we be protected against that?

Most of your higher end hardware have ARP validation or Dynamic ARP inspection. The question often comes up is, who has turned the feature on? [2] [3]

There are simple tools and tutorials out on the “Intertubes” that demonstrate how to achieve an ARP cache poison man-in-the-middle [4] attack, so I will not reproduce them here. This diary is to simply state that I am seeing this in my day to day operations still and to increase awareness.

In this XSS web app penetration world, we often forget the lower layers and how to best protected them. 802.1x is pervasive in the Wifi space, and with the Wired edge disappearing, perhaps that is a blessing in disguise, but how many networks implement 802.1x at the edge? Or better? Data Center?

Fortunately the last event that was encountered was simply a miss-configuration, however it does demonstrate the risks. This client also had validation turned on and detected it but that was a first that I could remember.

Question for this diary, given that MiTM [4] is on our minds lately? What, if possible for you to share, steps do you take to insure L2 protection?







Richard Porter

--- ISC Handler on Duty

Twitter: packetalien

Email: richard at isc dot sans dot edu

4 comment(s)


One of the things we do is check for ARP spoofing like activity. We poll the ARP tables every couple minutes. Every day we run a report and look for Ethernet addresses using multiple IP addresses.

Of course we have to whitelist some stuff.

In addition to IP MITM attacks, we also find misconfigured equipment and DHCP failures.
We use arpwatch ( to monitor mac address / ip changes

Port security is a great feature of Cisco switches with sticky MAC address. I also like to add protected port on DMZ switch when possible.
To second what Erik said, Cisco actually considers Port Security best practice for -every- port with a violation method.

Diary Archives