Solved

ARP Spoofing

Posted on 2015-02-09
9
147 Views
Last Modified: 2015-02-20
We have windows network. From last 5 days we are facing different kind of issue. Our comapany network and  the internet down for no reason.
when I tracked the problem I figured out that arp spoofing all over network. We have formatted suspicious  systems but still we face this issue. We also with checking and  testing with wireshark application. When we formatted suspicious  systems and again  wireshark application with new suspicious systems. We have physical firewall and antivirus in every system.

Please suggest any lead to follow and resolve the issue.
0
Comment
Question by:Deadman
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 68

Accepted Solution

by:
Qlemo earned 134 total points
Comment Utility
Most likely the "suspicious systems" are victims, not offender.
You can check your switch ports' ARP tables for overly much entries. If there is only one device connected, only one ARP address should be contained.
You can also check the ARP Reply messages (display filter arp.opcode == 2). It should be obvious if a device sends out spoofed messages because of the sheer amount coming from the same MAC, but different IP.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Is your network private or do you have public access on it?

Have you identified the devices which are doing the ARP spoofing?

It is possible (depending on the switches you have) to identify and block devices that are doing ARP spoofing, but we would need to know the manufacture and model number to determine if that's possible.
0
 
LVL 7

Author Comment

by:Deadman
Comment Utility
It a private network. we are using cyberoam firewall and d-link dgs 1500 28 switch. we also checked switch arp settings but it didn't worked
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
What device are these hosts spoofing?  The default-gateway? A sever?

The DGS1500 does have ARP spoofing prevention available so could implement that.

But I'd still be looking for why this is happening.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 7

Author Comment

by:Deadman
Comment Utility
mostly default-gateway but our gateway is fireawall IP.  DGS1500  have ARP spoofing prevention. we tried that didn't worked or something that may i missed. please guide to configure  ARP spoofing prevention in switch. I will cross with my configuration which was missed
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 133 total points
Comment Utility
Right.  That's what ARP spoofing is.  

A device sends out an ARP response with it's MAC address and the IP of the default-gateway.  When the other host on the network receive this, they create an entry that shows the correct IP address of the default-gateway but the MAC address is that of the bogus device. Now all traffic going to the internet from that host will be sent to the bogus device.  This creates a man-in-the-middle attack which lets the spoofing device see all traffic from that host destined for the internet.

The important task here is to determine why that device is ARP spoofing.
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 233 total points
Comment Utility
To find our which device is spoofing you have 2 choices.

1. If your switch allow it set the ports (ALL OF THEM) to learn and restrict, so only the 1st MAC appeared on that port is allowed, when mac on that port is spoofed the port will be disabled or depending on cofiguration an alert is send out.

2. If your switch does not spuuort this. its most easy to shut down ALL systems, except a newly set up test station with wireshark and see if spoofing is stil happening, if yes, its one of your network equipment components (switches, routers, access points, etc. pp. -if after all pcs and servers down, the problem stopped, then boot up all servers one by one and check for a while if problem comes back.
if all servers up and the problem is still not there, boot up all clients one by one and see if problem comes back.

if you have plenty of devices inthe segment you also can do half half approach on turning back on the devies. 1.st turn on first half and check if problem cones back, if yes turn off al and turn back on the half of the half, etc. pp. this approach is faster than one by one on larger installations, given that only a few systems are affected.

of yourse you only need to this in the lan segment the problem occours, for segments and server/devices behind a gateway/router you dont need to do this, only for devices that directly communicate on the same segment.
0
 
LVL 7

Author Comment

by:Deadman
Comment Utility
Thanks for your useful info. If we format all suspicious computer, Will solve our issue. If not please share article, PDF file or link on arp spoofing to better understand
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 233 total points
Comment Utility
of course reformatting and seting them up from a CLEAN image/backup will resolve the issue, once you found out which stations are spoofing.

reformating ist state of the art for cleanign up compromised systems. cleaning with scanners and tools may not be total and even the spoofing stopped, there might be other parts of malware still active.
So your plan to reformat them is the correct way to clean up the mess.

Once you have cleaned up you should think about how this malware could enter your network to prevent a new infection.

its also wise to change all passwords that were used on the infected systems, user logins, admin logins if used there, webpage/email logins if used from compromised hosts. If you use unencrypted authentication internally you NEED TO RESET ALL PASSWORDS thaqt were ever used in the time the network was infected with the arp spoofer. the spoofed machines could read any traffic in the segment, so all cleartext communication should be considered comprmised.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now