Focus on Microsoft
Windows 2000 Static arp not static Feb 12 2003 11:53PM
Tim Habex (tim habex eenderwat be) (3 replies)
Re: Windows 2000 Static arp not static Feb 14 2003 08:38PM
Blue Boar (BlueBoar thievco com)
Re: Windows 2000 Static arp not static Feb 14 2003 08:35PM
Bob Fleck (bob securesoftware com)
Re: Windows 2000 Static arp not static Feb 13 2003 06:42PM
Anthony Kim (Anthony Kim VW COM) (1 replies)
RE: Windows 2000 Static arp not static Feb 16 2003 04:08PM
shannong (shannong texas net) (1 replies)
Re: Windows 2000 Static arp not static Feb 24 2003 08:16PM
Anthony Kim (Anthony Kim VW COM)
On Sun, Feb 16, 2003, shannong wrote:

> The MAC address table mappings on switches have absolutely no
> effect on this. The switch still sees the offending machine as
> having the correct MAC address and the victim as having the
> correct MAC address. This exploit works due to the ARP cache
> poisoning of the victim as discussed in this thread.

That's why you "lock" the tables on the switches if you really
have to.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cnfg_
gd/sec_port.pdf
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_sol
utions_implementation_white_paper09186a008014870f.shtml

If your threat model is such that you are considering static arp
tables on each host, you will have to consider alternatives that
are manageable.

> You prevent this from happening like you do other exploits. Use an IDS.
> One that detects these ARP flip-flops.
>
> -Shannon

IDS will not "prevent this from happening".

I wrote:

> Most people would lock arp tables on the switch and not on the
> host. If you're relying on MS-technology only, you probably have
> a boatload of other problems to take care of... ;-)

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus