[c-nsp] ARP/MAC spoofing protection from a bad nic

Sam Stickland sam_mailinglists at spacething.org
Sat Jan 6 18:35:06 EST 2007


David Prall wrote:
> You can look at Dynamic Arp Inspection (DAI). I haven't played with it as of
> yet. I'm thinking that it requires DHCP Snooping to be involved as well,
> which could make it an issue for statically configured servers.
>   
Yeah, AFAIK DAI does require DHCP Snooping to be useful (there's a few 
additional checks it does that don't require DHCP snooping, but they 
wouldn't help here).

What would be nice if there was some way to make a switch compare ARP 
replies against an ACL (as well as IP). For example:

permit ip host 1.1.1.1 any
deny ip any any

This prevents the host from sourcing anything but 1.1.1.1, but it 
doesn't prevent it sending ARP replies for any IP address. AFAIK, there 
isn't any cisco feature that currently does this.

S
> Another option would be to statically code ARP entries, but this is
> difficult at best.
>
> --
> http://dcp.dcptech.com
>
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell
>> Sent: Friday, January 05, 2007 9:50 PM
>> To: Joseph Jackson
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] ARP/MAC spoofing protection from a bad nic
>>
>> Joseph Jackson wrote:
>>     
>>>             Earlier today we had what seems to be a NIC in
>>>       
>> a server go
>>     
>>> bad and started answering with its mac address for every IP
>>>       
>> within its
>>     
>>> subnet.  Of course this caused a massive LAN meltdown which
>>>       
>> wasn't all
>>     
>>> that fun.
>>>       
>> Sounds more like ettercap (hacking tool) to me.
>>
>> afsheenb at gravityplaysfavorites.net wrote:
>>     
>>> That being said, you'll probably want to implement port security.
>>>       
>> Won't help this case -- that limits the port to one source
>> MAC address, which is what it is doing (but spoofing the source IP).
>>
>> Jeff
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



More information about the cisco-nsp mailing list