Solved

ARP Spoofing

Posted on 2015-02-09
9
152 Views
Last Modified: 2015-02-20
We have windows network. From last 5 days we are facing different kind of issue. Our comapany network and  the internet down for no reason.
when I tracked the problem I figured out that arp spoofing all over network. We have formatted suspicious  systems but still we face this issue. We also with checking and  testing with wireshark application. When we formatted suspicious  systems and again  wireshark application with new suspicious systems. We have physical firewall and antivirus in every system.

Please suggest any lead to follow and resolve the issue.
0
Comment
Question by:Deadman
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 69

Accepted Solution

by:
Qlemo earned 134 total points
ID: 40598923
Most likely the "suspicious systems" are victims, not offender.
You can check your switch ports' ARP tables for overly much entries. If there is only one device connected, only one ARP address should be contained.
You can also check the ARP Reply messages (display filter arp.opcode == 2). It should be obvious if a device sends out spoofed messages because of the sheer amount coming from the same MAC, but different IP.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40598930
Is your network private or do you have public access on it?

Have you identified the devices which are doing the ARP spoofing?

It is possible (depending on the switches you have) to identify and block devices that are doing ARP spoofing, but we would need to know the manufacture and model number to determine if that's possible.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40598949
It a private network. we are using cyberoam firewall and d-link dgs 1500 28 switch. we also checked switch arp settings but it didn't worked
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40598966
What device are these hosts spoofing?  The default-gateway? A sever?

The DGS1500 does have ARP spoofing prevention available so could implement that.

But I'd still be looking for why this is happening.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40599012
mostly default-gateway but our gateway is fireawall IP.  DGS1500  have ARP spoofing prevention. we tried that didn't worked or something that may i missed. please guide to configure  ARP spoofing prevention in switch. I will cross with my configuration which was missed
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 133 total points
ID: 40599052
Right.  That's what ARP spoofing is.  

A device sends out an ARP response with it's MAC address and the IP of the default-gateway.  When the other host on the network receive this, they create an entry that shows the correct IP address of the default-gateway but the MAC address is that of the bogus device. Now all traffic going to the internet from that host will be sent to the bogus device.  This creates a man-in-the-middle attack which lets the spoofing device see all traffic from that host destined for the internet.

The important task here is to determine why that device is ARP spoofing.
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 233 total points
ID: 40600419
To find our which device is spoofing you have 2 choices.

1. If your switch allow it set the ports (ALL OF THEM) to learn and restrict, so only the 1st MAC appeared on that port is allowed, when mac on that port is spoofed the port will be disabled or depending on cofiguration an alert is send out.

2. If your switch does not spuuort this. its most easy to shut down ALL systems, except a newly set up test station with wireshark and see if spoofing is stil happening, if yes, its one of your network equipment components (switches, routers, access points, etc. pp. -if after all pcs and servers down, the problem stopped, then boot up all servers one by one and check for a while if problem comes back.
if all servers up and the problem is still not there, boot up all clients one by one and see if problem comes back.

if you have plenty of devices inthe segment you also can do half half approach on turning back on the devies. 1.st turn on first half and check if problem cones back, if yes turn off al and turn back on the half of the half, etc. pp. this approach is faster than one by one on larger installations, given that only a few systems are affected.

of yourse you only need to this in the lan segment the problem occours, for segments and server/devices behind a gateway/router you dont need to do this, only for devices that directly communicate on the same segment.
0
 
LVL 7

Author Comment

by:Deadman
ID: 40602483
Thanks for your useful info. If we format all suspicious computer, Will solve our issue. If not please share article, PDF file or link on arp spoofing to better understand
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 233 total points
ID: 40602690
of course reformatting and seting them up from a CLEAN image/backup will resolve the issue, once you found out which stations are spoofing.

reformating ist state of the art for cleanign up compromised systems. cleaning with scanners and tools may not be total and even the spoofing stopped, there might be other parts of malware still active.
So your plan to reformat them is the correct way to clean up the mess.

Once you have cleaned up you should think about how this malware could enter your network to prevent a new infection.

its also wise to change all passwords that were used on the infected systems, user logins, admin logins if used there, webpage/email logins if used from compromised hosts. If you use unencrypted authentication internally you NEED TO RESET ALL PASSWORDS thaqt were ever used in the time the network was infected with the arp spoofer. the spoofed machines could read any traffic in the segment, so all cleartext communication should be considered comprmised.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now