ARP poisioning the only way?

Printable View

August 14th, 2006, 07:44 PM
dcarveror

ARP poisioning the only way?

Is arp poisioning the only way to view switched traffic from a single node. I would like to see how vulnerable my network is to this attack, however I do not want this to result in a DOS.

Also I guess it would be nice to know how to secure the network against an arp DOS attack.
August 14th, 2006, 08:21 PM
Opus00

Your switch is most likely vulnerable to arp poisoning. The only way I can recall to aid in preventing arp poisoning is to bind the actual MAC address for each device to the associated port on the switch.

Now your question is a little cryptic. You seem to be concerned with arp poison, but your question asked if it was the only way to see traffic accross the switch. The answer is no.

Depending on the sophistication of your switch you could do what is called "Span port" or "port mirroring". In both cases your are specifying, via the config, a single port on the switch that is to receive traffic from any of the ports to all of the ports of the switch.

Quick and dirty answer, but I hope it helps
August 15th, 2006, 01:21 AM
ammo

(Depending on what you meant by or if the emphasis was on "from a single node")

There are other means also:

1- mac table flooding: spoof enough source mac addresses to overload the switch's mac-table (mac/port mapping table).

2- Not directly a switch level attack, but you can MITM traffic if by claiming to be the best HSRP router (if you use HSRP). Of course this will only affect routed traffic...

3- Depending on the network layout, some MITM may be possible using STP on a double-homed network....

Cisco has a good write-up on L2 issues:
http://www.cisco.com/en/US/netsol/ns...8014870f.shtml

Ammo
August 15th, 2006, 01:27 AM
treanglin

Well how big is your network, because if you are only working with like 10 or so nodes and the computer performing the test has like 512 MB of memory or more then I don't think you'd have a DoS problem. I've seen a 2 gigahertz computer with 1 gig of ram perform an APR attack on 100+ nodes for over 3 hours without causing a Denial of service. Also if you are using a program like Ettercap or Cain and Abel. you can select specific machines that you want to target, this way, you can prevent an entire network denial of service. (In the incident mentioned above incomming and outgoing traffic was being rerouted for each single machine!)
August 15th, 2006, 02:38 AM
dcarveror

One wan connection to the internet(2 mb/s). The section of the network I am on has 200 nodes. And it has a wan connection to another building(who connects to the internet through my portion of the network{1 mb/s}). That section of the network has 50 - 100 nodes. My laptop has 512 Ram and some of it is taken for video when in WIndows.
August 15th, 2006, 04:10 AM
treanglin

Hmmmm.....I'm pretty sure that you shouldn't be trying to do APR on a WAN connection the ISP's permission.

You might want to read up on network segmentation and switching and do some testing in a smaller lab before going at this man.

Yes it's a lot of reading but Don't get lazy....check this stuff out...IT'S GOOD STUFF!

==http://www.cisco.com/en/US/tech/tk389/tsd_technology_support_category_home.html

Also, to answer the question on how to secure the network on APR DoS....I think this may help:

== http://www.governmentsecurity.org/archive/t14083.html