Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ARP poisoning troubleshooting

Posted on 2014-11-20
8
Medium Priority
?
117 Views
Last Modified: 2014-12-04
It looks like my network got attacked by ARP poisoning. I see spoofing MAC addresses. When I shut down one, another one po up somewhere else. I am not sure how to deal with this. Any thoughts will be greatly appreciated. Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 500 total points
ID: 40455448
Defence depends on options that are available on switch.
Manufacturer?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40456864
many switches allow you to shut down a port if more than a certain number of mac addresses are seen from it - that is the usual method (if you have it). Cisco call that "port security" and obviously other vendors call it something else :)

As Predrag says, we would need further info to give a more detailed answer.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40458013
Sorry, My network is all Juniper ex2200 and ex4200. So if I understand correctly, you can shut down some of the ports now to stop this issue? Thx
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 33

Accepted Solution

by:
Dave Howe earned 1500 total points
ID: 40458122
Its a little more subtle than that.

As I read this page by setting a mac limit of (say) 5 you can say that any port on the switch will only accept the first five mac addresses it sees, and any mac addresses beyond those will be dropped (silently) and the action logged.

this means that you can both mitigate the extra macs and identify which port the spoofer is connected to, in order to track them down.

you can also hard-lock certain macs to certain ports if you wish - so that the port will only accept that one mac or list of macs - but that is considerable administrative overhead unless the attached nics are pretty static.

my reading is that, in config mode, at the ethernet-switching-options>>secure-access-port level, the command

set interface all mac-limit 5

would cause the mac limit to go to 5 and drop as the action (default)

you might first want to clear already learned macs with

clear ethernet-switching-table

to prevent any valid users being accidentally locked out by this move; you can also clear down individual ports with the same command (and a final argument of the port should you want to just release one port) should a sixth device (laptop, say) be added to a port legitimately in future.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40458941
When you set interface all mac-limit 5, will it set for all access ports? I have a stack of 4 48-port switches.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1500 total points
ID: 40459391
the <all> designates the port on the switch (as in all of them) - you can substitute the actual port if you want to do this at a finer grained level (see the link I posted)
it will need doing per switch, and you should also set the switches to send their logs via syslog to a central machine so you can monitor them for the drop alerts.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40460830
That is a very good idea. I will try that. Now what if my access port is connected to an AP. There are a lot of hosts going through an AP. Correct? So how will I deal with that? Thanks
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1500 total points
ID: 40460864
normally you wouldn't do that with a trunk port, and a AP counts as a trunk (so, exclude the links between switches too)

if its an AP though, normally it will have its own mac table and so forth, and you will have to deal with that separately.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question