[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 To:  "m0n0wall -" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Wed, 7 May 2008 02:55:33 -0400
On Wed, May 7, 2008 at 1:55 AM, Bostjan Hojkar
<bostjan dot hojkar at fov dot uni dash mb dot si> wrote:
>  I have to agree with this.
>  If you can't remove clients or hardcode correct ARP to client, your only
>  option is smart switch on each location.
>  ARP attacks are happening on switch (L2) and that's where you have to stop
>  them. Cisco has something, called Dynamic ARP inspection. I'm sure other
>  Vendors have similar functionalities, but I doubt you can find them in
>  low-end(/cost) products.

Yes, this is exactly why you need to run managed switches in any
serious network, especially one where you don't control what's
connecting to you. You need to configure your switch to shut down the
offending switch port when this kind of thing happens. Specific
procedures to do so vary from one switch to another, but any good
managed switch can do this. You can pick up used switches capable of
doing this for under $100 in the US, likely similar elsewhere.

The best you can do with m0n0wall is attempt to fight back in various
ways, but there is no guaranteed reliable way to do so and it doesn't
fix the real problem. PVLANs on your switches is another way to
contain this type of thing, to isolate each port into its own L2
segment. That way it doesn't affect other users.

You need to find the offending machine and pull the plug. From the
sounds of it, you have multiple customers on the same broadcast
domain, which means that compromised PC is likely ARP poisoning many
of your customers, redirecting their traffic through the compromised
PC. That combined with some SSL MITM tools, it'd be easy to hijack
sensitive credentials through that compromised machine, and it
wouldn't surprise me a bit if that's happening. You're putting your
customers at risk leaving that machine connected to the network.