Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

ARP Attack?

tmuller01
Level 1
Level 1

‎12-23-2014 01:57 PM

We have been experiencing slow internet speeds at work. So I started investigating and was using the Colasoft Capsa program.

I found that when doing a security analysis with this program that it said we were under ARP attack.

I found a article on the Colasoft site on ARP spoofing.   http://www.colasoft.com/capsa/troubleshoot_arp_attacks.php

When looking at the physical endpoint (Solution 4:) example I found the mac address of our Cisco Small Business RV042 10/100 4-Port VPN router with about a 100+ IP addresses linked to it.

I jumped on the cisco site and the closest thing I could find to helping me is http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/13495-clear-arp.html

However to my knowledge this won't work on this router since we only have access to the GUI interface.

Can anyone confirm that this is indeed a ARP attack on this router?

If so how do I stop it and protect this router?

Any help guidance is greatly appreciated!

Labels:
0 Helpful
3 Replies 3

wswalton
Level 1
Level 1

‎12-24-2014 06:44 AM

I assume all of the IP addresses are for sites that are not on your local network?   I would expect this since the end point is going to use the router as it's next hop go out to the internet.

If you were seeing an ARP spoof you would more likely see a lot of local IP addresses that are associated with a MAC address that is NOT your router.    When someone ARP spoofs they send out gratuitous ARPs trying to insert the malicious systems MAC address into the ARP table of the router/switch/endpoints so they send all of their traffic through the malicious system.

I know this doesn't answer your question but hopefully it pushes you closer to the answer.

 

0 Helpful

tmuller01
Level 1
Level 1
In response to wswalton

‎12-24-2014 07:58 AM

Your assumption is correct it is all IP addresses outside my network.

Guess I'm back to square one on slow internet.

Our Cisco Small Business RV042 10/100 4-Port VPN router doesn't have a monitoring tool built in does it?  I don't see anything in the GUI interface that looks like a monitoring tool. 

If anyone knows if it does or knows a good way to find who is using up all our bandwidth let me know.

Thanks

0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni
In response to wswalton

‎12-30-2014 07:31 AM

If you are seeing Internet/non local subnet IPs, in a host's ARP table, with the MAC address of the local gateway, then you are relying on  not be the caseach Internet stuff.

That should not be the case.

Is this a windows host?

If so, post up the output of:

ipconfig /all

arp -a

You probably have a misconfigured subnet mask or something.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful
Customers Also Viewed These Support Documents