Re: against illegal arp update

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: Tue Mar 11 2003 - 01:19:24 PST

Next message: Arjan Hulsebos: "Unknown attack, possible trojan?"

Previous message: Curt Wilson: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"
In reply to: SB CH: "against illegal arp update"
Next in thread: Greg A. Woods: "Re: against illegal arp update"
Reply: Greg A. Woods: "Re: against illegal arp update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le lun 10/03/2003 a 10:04, SB CH a ecrit :
> Today someone(I don't know who) which use same network(/20), has updated 
> our arp information into non-existent mac information. so I can't connect 
> toward the server.
> the number of the servers which can't connect are so high, so I can't set 
> all ips into mac at the router or switch.
> Surely, I use arpwatch. But I can't find any information about it.

Arpwatch is a tool that monitors ethernet trafic in order to detect
MAC/IP couples and spot changes. In a switched environment, this can
only be done on ethernet broadcast stuff. For ARP cache poisoning uses
unicast messages, such as directed ARP requests or ARP replies, it is
difficult for arpwatch to achieve its detection task. So, a determined
attacker can be clever enough to launch a quite silent attack, to
realise DoS or traffic interception.

> I know that one can fake his ip and update illegal arp information against 
> some ip which is a same network.

See http://www.arp-sk.org/ for details about this attacks and their
consequences.

I could notice that ARP cache poisoning sometimes sometimes leads to DoS
as side effect, when "incorrectly" used ;)

> Is it a virus or illegal attack?

I am not aware of any virus that uses ARP cache poisoning...

> How can I solve this incident?

The only efficient solution is static ARP cache, but it is an horrible
pain to maintain. You can also use MAC based filtering, but it is as
painful.
Unfortunalty, NT/2k does not support static ARP cache. They have
"permanent" ARP cache, meaning user set entries do not expire, but can
be updated. Unices have static ARP cache.

In a switched environment, arpwatch has to listen to a monitor port to
be fully efficient. Prelude IDS (http://www.prelude-ids.org/) and Snort
have both modules that can detect ARP level attacks.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Arjan Hulsebos: "Unknown attack, possible trojan?"
Previous message: Curt Wilson: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"
In reply to: SB CH: "against illegal arp update"
Next in thread: Greg A. Woods: "Re: against illegal arp update"
Reply: Greg A. Woods: "Re: against illegal arp update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 09:27:26 PST