[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 171
  • Last Modified:

ARP Spoofing

We have windows network. From last 5 days we are facing different kind of issue. Our comapany network and  the internet down for no reason.
when I tracked the problem I figured out that arp spoofing all over network. We have formatted suspicious  systems but still we face this issue. We also with checking and  testing with wireshark application. When we formatted suspicious  systems and again  wireshark application with new suspicious systems. We have physical firewall and antivirus in every system.

Please suggest any lead to follow and resolve the issue.
0
Deadman
Asked:
Deadman
  • 3
  • 3
  • 2
  • +1
4 Solutions
 
QlemoC++ DeveloperCommented:
Most likely the "suspicious systems" are victims, not offender.
You can check your switch ports' ARP tables for overly much entries. If there is only one device connected, only one ARP address should be contained.
You can also check the ARP Reply messages (display filter arp.opcode == 2). It should be obvious if a device sends out spoofed messages because of the sheer amount coming from the same MAC, but different IP.
0
 
Don JohnstonInstructorCommented:
Is your network private or do you have public access on it?

Have you identified the devices which are doing the ARP spoofing?

It is possible (depending on the switches you have) to identify and block devices that are doing ARP spoofing, but we would need to know the manufacture and model number to determine if that's possible.
0
 
DeadmanAuthor Commented:
It a private network. we are using cyberoam firewall and d-link dgs 1500 28 switch. we also checked switch arp settings but it didn't worked
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Don JohnstonInstructorCommented:
What device are these hosts spoofing?  The default-gateway? A sever?

The DGS1500 does have ARP spoofing prevention available so could implement that.

But I'd still be looking for why this is happening.
0
 
DeadmanAuthor Commented:
mostly default-gateway but our gateway is fireawall IP.  DGS1500  have ARP spoofing prevention. we tried that didn't worked or something that may i missed. please guide to configure  ARP spoofing prevention in switch. I will cross with my configuration which was missed
0
 
Don JohnstonInstructorCommented:
Right.  That's what ARP spoofing is.  

A device sends out an ARP response with it's MAC address and the IP of the default-gateway.  When the other host on the network receive this, they create an entry that shows the correct IP address of the default-gateway but the MAC address is that of the bogus device. Now all traffic going to the internet from that host will be sent to the bogus device.  This creates a man-in-the-middle attack which lets the spoofing device see all traffic from that host destined for the internet.

The important task here is to determine why that device is ARP spoofing.
0
 
andreasSystem AdminCommented:
To find our which device is spoofing you have 2 choices.

1. If your switch allow it set the ports (ALL OF THEM) to learn and restrict, so only the 1st MAC appeared on that port is allowed, when mac on that port is spoofed the port will be disabled or depending on cofiguration an alert is send out.

2. If your switch does not spuuort this. its most easy to shut down ALL systems, except a newly set up test station with wireshark and see if spoofing is stil happening, if yes, its one of your network equipment components (switches, routers, access points, etc. pp. -if after all pcs and servers down, the problem stopped, then boot up all servers one by one and check for a while if problem comes back.
if all servers up and the problem is still not there, boot up all clients one by one and see if problem comes back.

if you have plenty of devices inthe segment you also can do half half approach on turning back on the devies. 1.st turn on first half and check if problem cones back, if yes turn off al and turn back on the half of the half, etc. pp. this approach is faster than one by one on larger installations, given that only a few systems are affected.

of yourse you only need to this in the lan segment the problem occours, for segments and server/devices behind a gateway/router you dont need to do this, only for devices that directly communicate on the same segment.
0
 
DeadmanAuthor Commented:
Thanks for your useful info. If we format all suspicious computer, Will solve our issue. If not please share article, PDF file or link on arp spoofing to better understand
0
 
andreasSystem AdminCommented:
of course reformatting and seting them up from a CLEAN image/backup will resolve the issue, once you found out which stations are spoofing.

reformating ist state of the art for cleanign up compromised systems. cleaning with scanners and tools may not be total and even the spoofing stopped, there might be other parts of malware still active.
So your plan to reformat them is the correct way to clean up the mess.

Once you have cleaned up you should think about how this malware could enter your network to prevent a new infection.

its also wise to change all passwords that were used on the infected systems, user logins, admin logins if used there, webpage/email logins if used from compromised hosts. If you use unencrypted authentication internally you NEED TO RESET ALL PASSWORDS thaqt were ever used in the time the network was infected with the arp spoofer. the spoofed machines could read any traffic in the segment, so all cleartext communication should be considered comprmised.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now