Threat Level: green Handler on Duty: Richard Porter

SANS ISC: All Along the ARP Tower! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
All Along the ARP Tower!

Address Resolution protocol [1] in IPv4 is a method in which 48 bit ethernet addresses are matched up with network addresses. We cover many things here on the Storm Center, and lately Man in the Middle has come up often. One of the ways that Man in the middle can be achieved is via ARP Cache poisoning.

Wait, that sounds like a very old method? Shouldn’t we be protected against that?

Most of your higher end hardware have ARP validation or Dynamic ARP inspection. The question often comes up is, who has turned the feature on? [2] [3]

There are simple tools and tutorials out on the “Intertubes” that demonstrate how to achieve an ARP cache poison man-in-the-middle [4] attack, so I will not reproduce them here. This diary is to simply state that I am seeing this in my day to day operations still and to increase awareness.

In this XSS web app penetration world, we often forget the lower layers and how to best protected them. 802.1x is pervasive in the Wifi space, and with the Wired edge disappearing, perhaps that is a blessing in disguise, but how many networks implement 802.1x at the edge? Or better? Data Center?

Fortunately the last event that was encountered was simply a miss-configuration, however it does demonstrate the risks. This client also had validation turned on and detected it but that was a first that I could remember.

Question for this diary, given that MiTM [4] is on our minds lately? What, if possible for you to share, steps do you take to insure L2 protection?

 

 

[1] http://tools.ietf.org/html/rfc826

[2] http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dynarp.html

[3] http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol1/html/ip-config8.html

[4] http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Richard Porter

--- ISC Handler on Duty

Twitter: packetalien

Email: richard at isc dot sans dot edu

Richard

164 Posts
ISC Handler
One of the things we do is check for ARP spoofing like activity. We poll the ARP tables every couple minutes. Every day we run a report and look for Ethernet addresses using multiple IP addresses.

Of course we have to whitelist some stuff.

In addition to IP MITM attacks, we also find misconfigured equipment and DHCP failures.
Anonymous
We use arpwatch (http://ee.lbl.gov/) to monitor mac address / ip changes

Regards
Anonymous
Port security is a great feature of Cisco switches with sticky MAC address. I also like to add protected port on DMZ switch when possible.
Anonymous
To second what Erik said, Cisco actually considers Port Security best practice for -every- port with a violation method.
Matt Guza

5 Posts

Sign Up for Free or Log In to start participating in the conversation!