ARP poisoning/MITM attack prevention

**SawPer** · May 1st, 2005, 03:31 PM

Thehorse,

Yes, I was very surprised how easy it was to do a MITM attack. I always thought it was a complicated thing until I saw the tutorial made by Irongeek.
Since he didn't show any way to prevent it, I was hoping I would find some good answers here.

You mentioned your latest Cisco routers can prevent ARP poisoning. Is this done by what has already been mentioned in here, by fixed MAC/port settings and only allowing one MAC per port, or do they actually have a "check-box" for preventing ARP poisoning?

To give you a little background, I work at a college taking care of a bunch of webservers. I'm not responsible for the routers/network. But I think it's a big concern for the servers I'm responsible for, so I made these tests, and of course informed the network guy as well, to have him look in to this and hopefully fix it.

Thanks!

***Striek*** · May 1st, 2005, 04:25 PM

If I may...

Cisco routers prevent arp spoofing by locking each port down to the first mac address it sees, or with some, you can "freeze" the mac table in a certain state. Although this would prevent arp spoofing, it would not, stop arp poisoning, since an attacker is sending a false arp reply with its own MAC address, and so there is still only one MAC address out each port.

As for the prevention of arp poisoning, and therfore MITM attacks, the switch intercepts ARP replies and inspects them to ensure they are destined for the correct machine and coming from the correct machine. It already knows that the gateway, say 192.168.0.1, is on port 1, for example. When a workstation, say on port 2, sends an arp request for the gateway, the switch will inspect that packet. Assume the attacker is on port 3. Since the switch knows that the response to the arp request sent from port 2 must come back from port 1, it will drop the arp reply which the attacker will send from port 3. A kind of layer 3 firewall on the switch. This process is known as Dynamic Address Resolution Protocol, as far as I know.

In short, the switch ensures that arp replies are only sent from the machine they are supposed to be sent from.

Although I am aware of the theory behind it, I don't know exactly how to implement this on most switches, but it would likely be something as simple as an "enable darp" command. I'm sure somebody knows better than I do.

**SawPer** · May 2nd, 2005, 01:18 AM

Striek,

Thank you much for that information!

Could TheHorse or somebody else confirm to me if that is actually an option, "Enable DARP"?

I know our Network Manager is tired of Cisco, and he is now replacing most switches with HP swicthes. Since I don't mess with that kinda stuff, I have no idea if they are comparable or not, but I will ask him if he knows about DARP.
I have already told him about all your advices, but locking every single port down is probably not gonna happen. He's the one and only guy taking care of the network, with a couple of thousands computers, using a DHCP network, and computers and rooms changing all the time, it would be way too much for him to be able to handle...

BUT, if this DARP is an option, that might in fact fix it for us!!?!

Thanks again!

ps. Ammo, have to add I just tried what you said about SSL, and yeah, that is some real scary stuff. Since we don't use public certificates, and we always have to hit YES to accept it, you can capture all the SSL sessions as well, getting all the passwords in clear text and no one would have a clue... maaaan! We are now considering getting Verisign certificates, but man are they expensive!!

***ammo*** · May 2nd, 2005, 02:28 AM

Originally posted here by SawPer

ps. Ammo, have to add I just tried what you said about SSL, and yeah, that is some real scary stuff. Since we don't use public certificates, and we always have to hit YES to accept it, you can capture all the SSL sessions as well, getting all the passwords in clear text and no one would have a clue... maaaan! We are now considering getting Verisign certificates, but man are they expensive!!

Well, you could always setup your own internal CA and have all your users install that root ceriticate once.

Technically, the only diffrence between a Versign issued cert is that the verisgned root cert is installed by default on most browsers...

Ammo

***thehorse13*** · May 2nd, 2005, 03:15 PM

Yes, it's called Dynamic Arp Inspection or DAI. It's a little more involved than a single "enable" command. I use it here and it works wonderfully.

OVERVIEW:
========
Map out your neighboring switches/routers
Configure ARP inspection
Setup your trusts
Verify the bindings
Look at some sample inpsection traffic

This Cisco doc will get you started. It's not exactly written for a n00b but if you're reasonably familiar with Cisco gear, you should have no issues. This deals with the 4500 catalyst switches, which I happen to have here but the commands are transferrable.

http://www.cisco.com/en/US/products/...08019d0ca.html

**SawPer** · May 2nd, 2005, 05:04 PM

TheHorse,

Awesome!! Many thanks!

Yeah, our network guy knows some Cisco, so he should be able to hanlde it. I will check with him.

Thanks again!!

**SawPer** · May 2nd, 2005, 05:42 PM

Yick, it seems to be a proprietary solution from Cisco!

HP doesn't seem to have anything similar... not good... not good at all... what to do now??

I guess I will do some research online to try to find something about HP switches... unless someone here already knows about them?

Really shocked how over locked this problem is! It's like everybody is trying to stick their head in the sand, pretending this problem doesn't exist!

When it's so easy to do a MITM attack, you would think there would be tons of good solutions against it...

Striek,

Just to confirm your last comment. Even IF we did lock every single port down and only allowing for 1 MAC/port, you are saying ARP poisoning still bypasses this, cause the attacker is just lying about his IP/MAC address directly to the victim, which then continues to talk to the MAC, which is completely legit as far as the switch is concerned...
I don't see any solution for us at all then, if we don't get Cisco.. !

...and then depression set in.. heh!

***thehorse13*** · May 2nd, 2005, 08:57 PM

Cisco was specifically mentioned somewhere in the thread and I happen to run a Cisco shop here. HP certainly has something similar.

--TH13

**SawPer** · May 2nd, 2005, 09:30 PM

YEEESSSSSSS!!!!!!!!!!!!!!!!!!

We were all depressed, hanging around, thinking there is no way we can prevent this from going on... then we thought.. well.. what if we forced everybody to have static ARP's??

So I tried: arp -s [IP] [MAC] (of my gateway)

Fired up Cain, and Cain wouldn't even show my computer as getting poisoned!!! So it didn't catch a thing now!!! YIIIEEEEHAAAAAA!!!

Now if this is all waterproof, this is a fairly simple solution compared to buying new Cisco switches for the whole network!

Any comments about static ARP tables? Is that a good enough solution?! Some research seems to show that Win98 allows the static ARP's to be over written, but it doesn't look like that's the case from our test today on WinXP at least...

Thanks again for all help!!

ps. Hey, if you just feel like it, you are very welcome to give me some Anti points for this one.. heh!

**Double//Cut** · May 4th, 2005, 11:09 AM

hahaha, lol

SawPer, "1. You can "hardcode" all the MAC addresses on your network, but it's a big pain if you have a bigger network... This will make it a lot more secure, but there are obviously still ways around it..." You just answer your own question buddy ?

On a only switched network, you will have to setup all the static ARPs for every computer, but as the network grows, and the target would be yourself and the router, then a simple static MAC addy for the gateway would be all that is needed....

Get me ?

Thread: ARP poisoning/MITM attack prevention

Thread Tools

Display

Posting Permissions