Results 1 to 6 of 6

Thread: ARP poisioning the only way?

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    7

    ARP poisioning the only way?

    Is arp poisioning the only way to view switched traffic from a single node. I would like to see how vulnerable my network is to this attack, however I do not want this to result in a DOS.

    Also I guess it would be nice to know how to secure the network against an arp DOS attack.

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    Your switch is most likely vulnerable to arp poisoning. The only way I can recall to aid in preventing arp poisoning is to bind the actual MAC address for each device to the associated port on the switch.

    Now your question is a little cryptic. You seem to be concerned with arp poison, but your question asked if it was the only way to see traffic accross the switch. The answer is no.

    Depending on the sophistication of your switch you could do what is called "Span port" or "port mirroring". In both cases your are specifying, via the config, a single port on the switch that is to receive traffic from any of the ports to all of the ports of the switch.

    Quick and dirty answer, but I hope it helps
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    (Depending on what you meant by or if the emphasis was on "from a single node")

    There are other means also:

    1- mac table flooding: spoof enough source mac addresses to overload the switch's mac-table (mac/port mapping table).

    2- Not directly a switch level attack, but you can MITM traffic if by claiming to be the best HSRP router (if you use HSRP). Of course this will only affect routed traffic...

    3- Depending on the network layout, some MITM may be possible using STP on a double-homed network....

    Cisco has a good write-up on L2 issues:
    http://www.cisco.com/en/US/netsol/ns...8014870f.shtml


    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    111
    Well how big is your network, because if you are only working with like 10 or so nodes and the computer performing the test has like 512 MB of memory or more then I don't think you'd have a DoS problem. I've seen a 2 gigahertz computer with 1 gig of ram perform an APR attack on 100+ nodes for over 3 hours without causing a Denial of service. Also if you are using a program like Ettercap or Cain and Abel. you can select specific machines that you want to target, this way, you can prevent an entire network denial of service. (In the incident mentioned above incomming and outgoing traffic was being rerouted for each single machine!)
    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"
    -BOFH

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Posts
    7
    One wan connection to the internet(2 mb/s). The section of the network I am on has 200 nodes. And it has a wan connection to another building(who connects to the internet through my portion of the network{1 mb/s}). That section of the network has 50 - 100 nodes. My laptop has 512 Ram and some of it is taken for video when in WIndows.

  6. #6
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    111
    Hmmmm.....I'm pretty sure that you shouldn't be trying to do APR on a WAN connection the ISP's permission.


    You might want to read up on network segmentation and switching and do some testing in a smaller lab before going at this man.


    Yes it's a lot of reading but Don't get lazy....check this stuff out...IT'S GOOD STUFF!

    ==http://www.cisco.com/en/US/tech/tk389/tsd_technology_support_category_home.html

    Also, to answer the question on how to secure the network on APR DoS....I think this may help:

    == http://www.governmentsecurity.org/archive/t14083.html
    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"
    -BOFH

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •