[Tips] use a vswitch to quickly find the source of ARP attacks

Welcome to the network technology community forum, interact with 2 million technical staff into 2. Showmac-address login telnet @ FES12GCF-1 # shmac-add000b.5d4d.cb36Totalact

Welcome to the network technology community forum, interact with 2 million technical staff> enter 2. Show mac-address login telnet @ FES12GCF-1 # sh mac-add 000b. 5d4d. cb36 Total act

Welcome to the network technology community forum and interact with 2 million technical staff> enter

2. Show mac-address
Bytes ------------------------------------------------------------------------------------------------------------
Telnet @ FES12GCF-1 # sh mac-add 000b. 5d4d. cb36
Total active entries from all ports = 106
MAC-Address Port Type VLAN
000b. 5d4d. cb36 2 Dynamic 247
Bytes --------------------------------------------------------------------------------------------------------------
Under Port 2 is a common switch, so you don't need to know about other topology.
This seems to be an ARP attack. 000b. 5d4d. cb36 has performed ARP spoofing on this machine, so that all machines cannot access the network normally.
Continue tracing, check his real IP address, connect to the DHCP Server, and check the machine on DHCP Scope 10.10.247.1:
Bytes --------------------------------------------------------------------------------------------------------
10.10.247.143 ZZlin Reservation (active) DHCP 000b5d4dcb36
Bytes ----------------------------------------------------------------------------------------------------------
Ping 10.10.247.143, and check whether the computer name matches with each other with nbtstat-a 10.10.247.143. Lucky!
Immediately inform colleagues to go to the site to find the problematic machine, but in order not to affect production, we must make a quick effort to minimize the impact.

First, disable the MAC address on the vswitch:
Telnet @ FES12GCF-1 # conf t
Warning: 1 user (s) already in config mode.
Telnet @ FES12GCF-1 (config) # mac filter 1 deny 000b. 5d4d. cb36 ffff. ffff. ffff any
Telnet @ FES12GCF-1 (config) # end

Then, clear the ARP cache of the switch so that he can quickly learn the correct arp:
Telnet @ FES12GCF-1 # clear arp
Clear the mac-address of the vswitch and let him learn again:
Telnet @ FES12GCF-1 # clear mac-add

Finally, check the ARP table again:
Bytes ------------------------------------------------------------------------------------------------
Telnet @ SAE-CA-B1-FES12GCF-1 # sh arp
Total number of ARP entries: 31
IP Address MAC Address Type Age Port
1 10.10.247.180060. e900.781e Dynamic 0 2
2 10.10.247.20 0018.8b1b.b010 Dynamic 0 2
3 10.10.247.22 000d. 60a3. 77d0 Dynamic 0 2
4 10.10.247.28 0018.8b1b.b022 Dynamic 0 2
5 10.10.247.34 0013.7290.e52c Dynamic 0 2
6 10.10.247.35 0090. e804.1b2e Dynamic 0 2
7 10.10.247.39 00e0. 4c4f. 8502 Dynamic 0 2
8 10.10.247.44 0013.729a.7eb5 Dynamic 0 2
9 10.10.247.49 000d. 6035.85c3 Dynamic 0 2
10 10.10.247.52 0009.6bed.4cc6 Dynamic 0 2
11 10.10.247.58 0013.728e.1210 Dynamic 0 2
12 10.10.247.59 001d. 0909.5310 Dynamic 0 2
13 10.10.247.72 001d. 0931. f0d5 Dynamic 0 2
14 10.10.247.77 0012.3f87.ea67 Dynamic 0 2
15 10.10.247.79 0018.8b23.09e3 Dynamic 0 2
16 10.10.247.81 0018.8b1d.04ba Dynamic 0 2
17 10.10.247.82 0011.43af.b0dc Dynamic 0 2
18 10.10.247.88 0017.312c.40b5 Dynamic 0 2
19 10.10.247.91 0013.728e.1a6d Dynamic 0 2
20 10.10.247.92 000f. 8f28. d4e6 Dynamic 0 2
21 10.10.247.95 0002.555b.3546 Dynamic 0 2
22 10.10.247.106 0014.222a.1f64 Dynamic 0 2
23 10.10.247.136 000d. 6033. d5cd Dynamic 0 2
Bytes ------------------------------------------------------------------------------------------------

It seems that it has been back to normal.

Let's take a look at the following:
1. This is a generation of ARP attacks. The source MAC and Source IP are not forged, so it is easy to find. If it is a generation II attack, it will not be so easy.
Hope you will have the opportunity to meet :-)
2. Two hours later, I also called to find the pc and found dozens of Trojans without installing anti-virus software.
3. Vlan division can minimize the impact.
4. antivirus and patching are an essential part of daily work.
5. Exercise caution when selecting a vswitch. In addition to static MAC binding, Foundry FES12GCF cannot effectively prevent ARP attacks.

[1] [2]