ARP Spoofing

We have windows network. From last 5 days we are facing different kind of issue. Our comapany network and  the internet down for no reason.
when I tracked the problem I figured out that arp spoofing all over network. We have formatted suspicious  systems but still we face this issue. We also with checking and  testing with wireshark application. When we formatted suspicious  systems and again  wireshark application with new suspicious systems. We have physical firewall and antivirus in every system.

Please suggest any lead to follow and resolve the issue.
DeadmanIT ConsultantAsked:
Who is Participating?
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Most likely the "suspicious systems" are victims, not offender.
You can check your switch ports' ARP tables for overly much entries. If there is only one device connected, only one ARP address should be contained.
You can also check the ARP Reply messages (display filter arp.opcode == 2). It should be obvious if a device sends out spoofed messages because of the sheer amount coming from the same MAC, but different IP.
Don JohnstonInstructorCommented:
Is your network private or do you have public access on it?

Have you identified the devices which are doing the ARP spoofing?

It is possible (depending on the switches you have) to identify and block devices that are doing ARP spoofing, but we would need to know the manufacture and model number to determine if that's possible.
DeadmanIT ConsultantAuthor Commented:
It a private network. we are using cyberoam firewall and d-link dgs 1500 28 switch. we also checked switch arp settings but it didn't worked
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Don JohnstonInstructorCommented:
What device are these hosts spoofing?  The default-gateway? A sever?

The DGS1500 does have ARP spoofing prevention available so could implement that.

But I'd still be looking for why this is happening.
DeadmanIT ConsultantAuthor Commented:
mostly default-gateway but our gateway is fireawall IP.  DGS1500  have ARP spoofing prevention. we tried that didn't worked or something that may i missed. please guide to configure  ARP spoofing prevention in switch. I will cross with my configuration which was missed
Don JohnstonInstructorCommented:
Right.  That's what ARP spoofing is.  

A device sends out an ARP response with it's MAC address and the IP of the default-gateway.  When the other host on the network receive this, they create an entry that shows the correct IP address of the default-gateway but the MAC address is that of the bogus device. Now all traffic going to the internet from that host will be sent to the bogus device.  This creates a man-in-the-middle attack which lets the spoofing device see all traffic from that host destined for the internet.

The important task here is to determine why that device is ARP spoofing.
andreasSystem AdminCommented:
To find our which device is spoofing you have 2 choices.

1. If your switch allow it set the ports (ALL OF THEM) to learn and restrict, so only the 1st MAC appeared on that port is allowed, when mac on that port is spoofed the port will be disabled or depending on cofiguration an alert is send out.

2. If your switch does not spuuort this. its most easy to shut down ALL systems, except a newly set up test station with wireshark and see if spoofing is stil happening, if yes, its one of your network equipment components (switches, routers, access points, etc. pp. -if after all pcs and servers down, the problem stopped, then boot up all servers one by one and check for a while if problem comes back.
if all servers up and the problem is still not there, boot up all clients one by one and see if problem comes back.

if you have plenty of devices inthe segment you also can do half half approach on turning back on the devies. turn on first half and check if problem cones back, if yes turn off al and turn back on the half of the half, etc. pp. this approach is faster than one by one on larger installations, given that only a few systems are affected.

of yourse you only need to this in the lan segment the problem occours, for segments and server/devices behind a gateway/router you dont need to do this, only for devices that directly communicate on the same segment.
DeadmanIT ConsultantAuthor Commented:
Thanks for your useful info. If we format all suspicious computer, Will solve our issue. If not please share article, PDF file or link on arp spoofing to better understand
andreasSystem AdminCommented:
of course reformatting and seting them up from a CLEAN image/backup will resolve the issue, once you found out which stations are spoofing.

reformating ist state of the art for cleanign up compromised systems. cleaning with scanners and tools may not be total and even the spoofing stopped, there might be other parts of malware still active.
So your plan to reformat them is the correct way to clean up the mess.

Once you have cleaned up you should think about how this malware could enter your network to prevent a new infection.

its also wise to change all passwords that were used on the infected systems, user logins, admin logins if used there, webpage/email logins if used from compromised hosts. If you use unencrypted authentication internally you NEED TO RESET ALL PASSWORDS thaqt were ever used in the time the network was infected with the arp spoofer. the spoofed machines could read any traffic in the segment, so all cleartext communication should be considered comprmised.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.