Solved

ARP Spoofing

Posted on 2015-02-09
9
160 Views
Last Modified: 2015-02-20
We have windows network. From last 5 days we are facing different kind of issue. Our comapany network and  the internet down for no reason.
when I tracked the problem I figured out that arp spoofing all over network. We have formatted suspicious  systems but still we face this issue. We also with checking and  testing with wireshark application. When we formatted suspicious  systems and again  wireshark application with new suspicious systems. We have physical firewall and antivirus in every system.

Please suggest any lead to follow and resolve the issue.
0
Comment
Question by:Deadman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 70

Accepted Solution

by:
Qlemo earned 134 total points
ID: 40598923
Most likely the "suspicious systems" are victims, not offender.
You can check your switch ports' ARP tables for overly much entries. If there is only one device connected, only one ARP address should be contained.
You can also check the ARP Reply messages (display filter arp.opcode == 2). It should be obvious if a device sends out spoofed messages because of the sheer amount coming from the same MAC, but different IP.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40598930
Is your network private or do you have public access on it?

Have you identified the devices which are doing the ARP spoofing?

It is possible (depending on the switches you have) to identify and block devices that are doing ARP spoofing, but we would need to know the manufacture and model number to determine if that's possible.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40598949
It a private network. we are using cyberoam firewall and d-link dgs 1500 28 switch. we also checked switch arp settings but it didn't worked
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40598966
What device are these hosts spoofing?  The default-gateway? A sever?

The DGS1500 does have ARP spoofing prevention available so could implement that.

But I'd still be looking for why this is happening.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40599012
mostly default-gateway but our gateway is fireawall IP.  DGS1500  have ARP spoofing prevention. we tried that didn't worked or something that may i missed. please guide to configure  ARP spoofing prevention in switch. I will cross with my configuration which was missed
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 133 total points
ID: 40599052
Right.  That's what ARP spoofing is.  

A device sends out an ARP response with it's MAC address and the IP of the default-gateway.  When the other host on the network receive this, they create an entry that shows the correct IP address of the default-gateway but the MAC address is that of the bogus device. Now all traffic going to the internet from that host will be sent to the bogus device.  This creates a man-in-the-middle attack which lets the spoofing device see all traffic from that host destined for the internet.

The important task here is to determine why that device is ARP spoofing.
0
 
LVL 12

Assisted Solution

by:andreas
andreas earned 233 total points
ID: 40600419
To find our which device is spoofing you have 2 choices.

1. If your switch allow it set the ports (ALL OF THEM) to learn and restrict, so only the 1st MAC appeared on that port is allowed, when mac on that port is spoofed the port will be disabled or depending on cofiguration an alert is send out.

2. If your switch does not spuuort this. its most easy to shut down ALL systems, except a newly set up test station with wireshark and see if spoofing is stil happening, if yes, its one of your network equipment components (switches, routers, access points, etc. pp. -if after all pcs and servers down, the problem stopped, then boot up all servers one by one and check for a while if problem comes back.
if all servers up and the problem is still not there, boot up all clients one by one and see if problem comes back.

if you have plenty of devices inthe segment you also can do half half approach on turning back on the devies. 1.st turn on first half and check if problem cones back, if yes turn off al and turn back on the half of the half, etc. pp. this approach is faster than one by one on larger installations, given that only a few systems are affected.

of yourse you only need to this in the lan segment the problem occours, for segments and server/devices behind a gateway/router you dont need to do this, only for devices that directly communicate on the same segment.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40602483
Thanks for your useful info. If we format all suspicious computer, Will solve our issue. If not please share article, PDF file or link on arp spoofing to better understand
0
 
LVL 12

Assisted Solution

by:andreas
andreas earned 233 total points
ID: 40602690
of course reformatting and seting them up from a CLEAN image/backup will resolve the issue, once you found out which stations are spoofing.

reformating ist state of the art for cleanign up compromised systems. cleaning with scanners and tools may not be total and even the spoofing stopped, there might be other parts of malware still active.
So your plan to reformat them is the correct way to clean up the mess.

Once you have cleaned up you should think about how this malware could enter your network to prevent a new infection.

its also wise to change all passwords that were used on the infected systems, user logins, admin logins if used there, webpage/email logins if used from compromised hosts. If you use unencrypted authentication internally you NEED TO RESET ALL PASSWORDS thaqt were ever used in the time the network was infected with the arp spoofer. the spoofed machines could read any traffic in the segment, so all cleartext communication should be considered comprmised.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IP Address -- lookup location ? 4 287
Opening Ports for Specific LAN IP Address on Juniper SRX240 3 78
Cisco router 4400 and switch connection. 27 78
Rogue RDP Connections 5 106
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question