I understand how ARP spoofing works on a switched network: attacker tells the router he's the victim, then tells the victim he's the router. My question is: on large networks, like corporate and university networks, is it still as simple? I would assume there would be more than one router etc... what kind of measures can corporate-level networks take to protect themselves from ARP spoofing attacks?
Asked
Active
Viewed 2,176 times
7
-
1It won't work on a network with [static ARP](http://www.dummies.com/how-to/content/cisco-networking-static-arp-entry-managment.html) – paj28 Aug 15 '16 at 12:16
-
simple answer: NO. not so simple answer: there are various techniques to mitigate/detect arpspoofing. complex answer: check out the other answers :) – Gewure Aug 03 '17 at 14:37
2 Answers
6
It depends on the class of the switch, for example:
- Wifi routers and home routers have LAN Isolation, however this one is usually disabled by default
- Layer 2/3 campus class switches usually have ARP filtering, but if it's not enabled than you can spoof MAC or IP address from different VLAN (you can use same MAC or different one for any IP address). The one I mean here is the one implemented at the Layer 3 gateway.
- Some new campus like switches (as of 2016) have LAN Isolation built-in as well, however it's not enabled by default, which helps with ARP spoofing
- Some networks require IEEE 802.1X authentication to connect to the port, usually corporate equipment must be used and not private one. This is very often preventing ARP spoofing but not always, depends on how it is used, sometimes it's easy to defeat.
- Some networks have MAC learning and do not allow spoofing (e.g. allow only specific MAC on single port), this is quite rare but existent. So this works by monitoring the switches and blocking attackers.
- Some networks might require you to supply you MAC which is configured for the port, and this way it can also prevent from sending malicious ARP requests / responses
- Depending on switch vendor there might be other features helping with ARP spoofing, usually at Layer 2 switch like Dynamic ARP Inspection.
- It is quite easy to make switch policy so that each customer port can exchange packets only with router port without need of LAN Isolation feature, however not many people do it
Polynomial
- 132,208
- 43
- 298
- 379
Aria
- 2,706
- 11
- 19
-
Thank you for such a detailed answer! Could you elaborate on point 2? And what is LAN Isolation? – Elliot Gorokhovsky Aug 13 '16 at 02:23
-
Where you can enforce a specific MAC address for each port, you can also enforce a specific IP address. – 700 Software Aug 15 '16 at 12:26
4
ARP spoofing is easy to detect. If a router sees an ARP advertisement packet for an IP address that it knows is already associated with a different port or MAC address, it can block it, shut down the port the packet came from, or take other appropriate action. Any decent IDS will pick up an ARP spoofing attack. All that said, I find that it's quite uncommon for even corporate networks to bother having this sort of protection.
(Of course, if you just use IPSec or TLS for everything like you should, there's no issue here, right?)
Reid Rankin
- 1,062
- 5
- 10