12-23-2014 01:57 PM
We have been experiencing slow internet speeds at work. So I started investigating and was using the Colasoft Capsa program.
I found that when doing a security analysis with this program that it said we were under ARP attack.
I found a article on the Colasoft site on ARP spoofing. http://www.colasoft.com/capsa/troubleshoot_arp_attacks.php
When looking at the physical endpoint (Solution 4:) example I found the mac address of our Cisco Small Business RV042 10/100 4-Port VPN router with about a 100+ IP addresses linked to it.
I jumped on the cisco site and the closest thing I could find to helping me is http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/13495-clear-arp.html
However to my knowledge this won't work on this router since we only have access to the GUI interface.
Can anyone confirm that this is indeed a ARP attack on this router?
If so how do I stop it and protect this router?
Any help guidance is greatly appreciated!
12-24-2014 06:44 AM
I assume all of the IP addresses are for sites that are not on your local network? I would expect this since the end point is going to use the router as it's next hop go out to the internet.
If you were seeing an ARP spoof you would more likely see a lot of local IP addresses that are associated with a MAC address that is NOT your router. When someone ARP spoofs they send out gratuitous ARPs trying to insert the malicious systems MAC address into the ARP table of the router/switch/endpoints so they send all of their traffic through the malicious system.
I know this doesn't answer your question but hopefully it pushes you closer to the answer.
12-24-2014 07:58 AM
Your assumption is correct it is all IP addresses outside my network.
Guess I'm back to square one on slow internet.
Our Cisco Small Business RV042 10/100 4-Port VPN router doesn't have a monitoring tool built in does it? I don't see anything in the GUI interface that looks like a monitoring tool.
If anyone knows if it does or knows a good way to find who is using up all our bandwidth let me know.
Thanks
12-30-2014 07:31 AM
If you are seeing Internet/non local subnet IPs, in a host's ARP table, with the MAC address of the local gateway, then you are relying on not be the caseach Internet stuff.
That should not be the case.
Is this a windows host?
If so, post up the output of:
ipconfig /all
arp -a
You probably have a misconfigured subnet mask or something.
Regards
Aaron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide