ARP Attack?

Similar Messages

• Cisco Security Advisory: Access Point Memory Exhaustion from ARP Attacks

  I recieved this Cisco Advisory e-mail today. I have 1200 access points that I upgraded yesterday to 12.3(7)JA2, in which this problem was corrected. In the advisory it states to upgrade to this software release and to make a configuration change on each radio interface. I made this change on Dot11Radio0 interface and it took. I have 2 more interfaces ( Dot11Radio0.2 and Dot11Radio0.75) in which I get an error when I try to make this configuration change. I don't quite understand these interfaces, so I would like to know if I really need to make this change on the other 2 interfaces or is making the change on the 1st one enough. Any information is certainly appreciated. Thanks, Laurie Coles

  Since you have subinterfaces configured, you are apparently using
  VLANs on your APs. The ARP table is only relevant for the VLAN
  with the management IF, that is the native VLAN.
  For all other VLANs it's simply bridging, therefore no ARP table,
  and therefore this vulnerability doesn't apply here.
  So your only concern should be the native VLAN, and unless you
  need wireless access for managing your APs the best way for
  securing this would be to not configure a SSID for this VLAN.
  Then the only access to the AP would be over the Ethernet-IF.
  The security advisory is more important for APs configured
  without VLANs where wireless clients and the management IF
  of the AP are in the same (W)LAN.

• Why the debug arp output the follow imformation "IP ARP throttled out the ARP Request for 10.170.254.13"

  In the network,sometimes,I can't ping some servers,the getway is in the switch 4507,if I connect my computer in the vlan what the servers in,I will not ping the getway successful,and the computer can't learn the getway's MAC.In the same time I debug arp in the 4507,the output is :
  "Jun 20 07:36:21.225: IP ARP throttled out the ARP Request for 10.170.254.46
  Jun 20 07:36:21.225: IP ARP throttled out the ARP Request for 10.170.254.13
  Jun 20 07:36:21.227: IP ARP: sent req src 10.170.252.30 b838.6168.3c7f,
                   dst 10.170.252.82 0000.0000.0000 Vlan252"
  If I reload the 4507,I could ping the getway ,and the servers.
  I think it's ARP attack,the machine who was the question one  is  send a lot of ARP request ,that let the 4507's ARP cache full ,and than overflow. My computer wants to request the getway's MAC ,the message is discard.SO my computer can't ping the getway.
  Can someone tell me, am I right? It's very important for me.
  and tell me ,how can i do ? I'll wait online.
  thank you very very much. 

  Have a look at this document for troubleshooting ARP throttled issues
  http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-incomp.html
  HTH

• Solaris Server timeouts

  Greeting list, Looking for some help with a strange network issue, appearing to only affect Solaris 10 on Sun Hardware servers within our network. What is happening is that at random times, an initial connection to a network service (so far it show to affect ssh, http, svn, mysql, etc..) on Solaris 10 servers will timeout and the connection attempt will have to be retried and usually connects just fine, and most often any reasonably soon subsequent connections work just fine. So far this happens with random servers, on random segments of our networks, between workstations and servers and server to servers communications. We don't see any errors in network stats on servers, and have yet to have anything that makes a connection fail during the connection, its just when that first attempt is made at a random time (although I have noticed that it seems to be more likely when something hasn't initiated a network connection to the particular service for some time. I've gone through the normal troubleshooting steps. Many different Sun models/nics are involved, have seen the issue with both sparc/x86. Not sure if this could be a kernel based issue, or perhaps a stack setting of some sort that doesn't like our network? I managed to grab a snoop of a time out for an initiated SSH connection to a server. Of course as soon as the first connection timed out, a retry went just fine, and any connections after that was fine as well. I don't see anything odd in the snoop really, perhaps someone else notices something or has experienced the same issue. Any help would be great!! Thanks!
  10:22:59.20472 ltis109.pplsi.com -> PPWUAS01 TCP D=22 S=4736 Syn Seq=1128875978 Len=0 Win=65535 Options=<mss 1260,nop,wscale 14,nop,nop,sackOK>
  10:23:2.06313 ltis109.pplsi.com -> PPWUAS01 TCP D=22 S=4736 Syn Seq=1128875978 Len=0 Win=65535 Options=<mss 1260,nop,wscale 14,nop,nop,sackOK>
  10:23:2.06328 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Ack=1128875979 Seq=3734794069 Len=0 Win=50400
  10:23:2.59342 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Syn Ack=1128875979 Seq=3734794068 Len=0 Win=50400 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
  10:23:8.05329 ltis109.pplsi.com -> PPWUAS01 TCP D=22 S=4736 Syn Seq=1128875978 Len=0 Win=65535 Options=<mss 1260,nop,wscale 14,nop,nop,sackOK>
  10:23:8.05342 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Ack=1128875979 Seq=3734794069 Len=0 Win=50400
  10:23:9.36182 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Syn Ack=1128875979 Seq=3734794068 Len=0 Win=50400 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
  10:23:22.87865 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Syn Ack=1128875979 Seq=3734794068 Len=0 Win=50400 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
  10:23:49.89221 PPWUAS01 -> ltis109.pplsi.com TCP D=4736 S=22 Syn Ack=1128875979 Seq=3734794068 Len=0 Win=50400 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>

  We also don' have a fix right now but we applied the workaround mentioned in bug 6957273
  (now also suitable for tcp and udp ...)
  But I set ip_ire_arp_interval to 1200000 (20 min, the default value).
  We observed the delayed connection (SYN -> timeout of abot 3.5 sec -> SYN again) very often
  since we have installd SUNWjass on all our hosts which sets ip_ire_arp_interval to 60000 (60sec) to
  avoid arp attacks. Now it's seen rarley so we can wait till the problem is fixed by sun/oracle.
  The support told me that there will be a fix in the next kernel update.

• Features of Cisco Secure ACS Appliance

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
  There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
              o     Can known users still be authorized?
              o     Are unknown users still blocked?
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  •     Which kinds of Attacks can the ACS (alone) prevent?
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  Thanks for all answers.
  Regards,
  taouri

  See inline answers:
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
  This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
              o     Can known users still be authorized?
  In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
              o     Are unknown users still blocked?
  Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
  •     Which kinds of Attacks can the ACS (alone) prevent?
  ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
  http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

• Detect attack man in the middle with IDS/IPS

  Hi,
  I have aip-ssm 20, IPS Version 7.0(6)E4
  The ID  signature 7101, 7102, 7104 and 7105 is used for detecting attack arp poison.
  The sensor works as IDS in promiscuous mode. All traffic is fordwared to sensor.
  I have made attack man in the middle with cain & abel but sensor doesn't send alarm. I attach image with signatures.
  Why don't sensor detect attack? The network is in zone inside.
  Can anybody help me, please?

  Did you check if SSM is getting those packets by running "packet display .." command on the sensing interface. In SSM the ARP packets would not be forwarded by ASA to the SSM.
  thx
  Madhu

• Unused IP addresses attack 3rd parties

  Hello,
  We are having a strange situation where (used and) unused (!) public addresses belonging to our network attack 3rd parties.
  The specific network is as follows.
  WiFi5 -- WiFi6 -- SW11 (CE500-24TT)
  |
  |
  /--- <vlan 2> -- WiFi1 -- WiFi2 -- SW10 (SG300-10) -- WiFi3 -- WiFi4 -- R1 (Router 3640)
  |
  |
  R0 (Router 3825) -- <vlan 1> -- SW0 (C2960-24TT-L) -- SW1 (C2950T-24)
  |
  |
  SW2 (C2950T-24) -- SW3 (C2960CG-8TC-L) -- SW4 (SG300-28)
  All the above devices use public admin IP addresses from two fragments of a public Class C subnet which has been split in multiple parts.
  Wireless Links WiFi1--WiFi2, WiFi3--WiFi4, WiFi5--WiFi6 are high distance bridges implemented with Motorola equipment.
  A part of vlan2 Switches/Wireless Routers remained exposed to the Internet for some days with public admin IPs (i.e. it was accessible from the Internet, whereas we normally prohibit access using ACLs).
  I don't know if this was the cause of the security issue we are facing: We are watching (through Netflow monitoring) a high number of outgoing flows, which consist of attacks from IP Addresses of the whole Class C subnet (used or unused!) to addresses abroad (mainly to China), mainly to ports 22, 80, 7000.
  The most strange aspect of the attack is that many of these flows originate from IP addresses which are unused! No ARP or MAC entries exist for these addresses.
  I thought that hacking to one of the exposed Switches/Wireless Routers might have been the source of the issue, so we blocked access and eventually we shut vlan2 down. Before that, we examined all these devices and we did not find any visible signs of hacking (config changes / password changes / new accounts, etc.).
  However, we continued to see the same behavior, until we rebooted SW0 and we are currently see no such traffic, although we are worried that it will start again.
  We have the following questions:
  Can someone understand/explain what may have really happened?
  We are suspecting that, if Switches have not been hacked, some endpoint (node) may have been hacked and be causing this traffic. Is there a way we can monitor the number of outgoing flows per port on switches, to be able to identify a port (and an associated connected device) that causes the traffic?
  Is it possible that a Cisco Switch may run malware? Where/how should we look for it?
  Can you please suggest any other actions we should take (investigative commands to run, etc)?
  Can you suggest related documentation?
  Thanks in advance,
  Nick

  We found what was happening and I post here for everyone's reference.
  A workstation (running an old version of fedora) had been hacked and was attacking the Internet using IP spoofing. It was automatically using IP Addresses from all the public Class-C network to which its own IP Address belonged.
  So, not any part of the network infrastructure had been hacked, but the source of the attack was difficult to locate.
  Regards,
  Nick

• Dynamic ARP Inspections on Wifi Routers?

  Is Dynamic ARP inspection possible to be done on wifi routers? I'm asking because I can't find any model with that feature. I would especially be interested in some cheaper models for home or small business use (maybe Linksys).

  You could be better served posting this on the SOHO forum. Speaking to enterprise gear like the cisco WLC yes.
  DAI for Wireless Access
  The WLC protects against MIM attacks by performing a similar function as DAI on the WLC itself. DAI should not be enabled on the access switch for those VLANs connecting directly to the WLCs because the WLC uses GARP to support Layer 3 client roaming.
  It is possible to enable DAI for each VLAN configured on a trunk between a FlexConnect and access point. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an FlexConnect. However, in an FlexConnect WLC deployment, there are two topologies that impact the effectiveness of the DAI feature. Both topologies assume that the attacker is associated to a FlexConnect WLC and is Layer 2-adjacent to the targets:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019449

• Multi-MAC Address to One IP Attack?

  I had posted something earlier but have more information.
  Earlier I asked if you could have multiple IP addresses mapped to the same MAC-Address in the ARP table.
  Based on wire captures I have found that it is no problem for the WGB1310 or for the Cisco 6500 to have this. However, I am hearing that there is a special security feature in the WiSM or WLC that sees this as an attempted ATTACK on the network.  I would see a ping come through the 6500, over the wireless network and hit my virtual IP address and I would see the virtual IP address respond.  However, the response did not make it back to the sending PC because of this issue.
  And so now my application fails.
  Does anyone know of this feature or if I can disable it on the WiSM?  This is crushing my deployment.

  Ok, an update on this.
  I have a layer 3 switch on every train.
  I am thinking I can just keep the 1310 in WGB mode near my end user and keep the other 1310 in AP mode for the link back to the WiSM, plug the ethernet interface of my WGB into the layer 3 switch then on the other side of the switch I will have a /28 network.
  On the WLC/WiSM I would then create a static route for each /28 to the external interface (by which I mean the interface on the same subnet as the WLC) of the layer 3 switch.
  I think I would also have to create a static route on the 6500 for these networks as well since it needs to know that they exist on the other side of the WiSM.
  Make sense?
  Can't wait to test it out.
  James

• ARP Cache Poison behavior by Apple TV

  Norton Anti-Virus reports blocking an ARP Cache Poison attack against my home network.  The reported source of the attack is the MAC number of the Apple TV on the network.
  Whether Norton is "reliable" is apparently contentious in the support community.  Several authors suggest, with authority, disabling Norton or the particular attack profile.
  Whether that makes sense depends on what the Apple TV is innocently doing to be profiled as a network attack. 
  Even when supposedly "asleep" the Apple TV is doing something that meets the profile of an ARP Cache Poison attack.  It did it every 30 minutes today, nine times yesterday, about 30 times day before and etc. 
  And if it is a design feature of the device, why is the device still performing despite having the activity continously blocked?  What is the purpose of this attack-like activity, assuming it is not an attack?  If it is an attack, how does one erase the programming initiating the attacks and still have an Apple TV?

  Short answer: it is a false positive.  I don't know exactly what causes it but I would guess Apple's Bonjour protocol, which is why you see something every 30 minutes.  That's just a blind guess, but seems to fit.
  Realize that a report of ARP poisoning wouldn't be likely on a private LAN, unless you got infected somehow.  No known malware like this for iOS devices (and much harder to insert one on AppleTV versus an iPhone or iPad.)  There are legitimate cases where ARP spoofing is used.  And even Cisco has instances where they say to ignore that warning:
  CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual "ARP poisoning" is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.
  DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with
  invalid SPA 192.168.1.152/TPA 192.168.0.206
  Workaround: Perform the following steps:
  • Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.
  I'm not saying that Norton's message is the same as Cisco's.  Just that Cisco states that the meaning of why the message appears is not clear and sometimes is acceptable.  And Cisco is the world leader in networking technology so if they don't always know why you get an ARP poisoning warning....
  I won't go into the politics of "Norton bad" or whatever, but based on my experience (bias) with Norton in it's various forms for over 10 years, IMHO you can ignore this.  Hopefully you can configure Norton to selectively ignore this.  If not, you may have to use a different security program.  Me personally, I do not recommend any "security suites" because they cause exactly this kind of additional headache.  Just a "plain" antivirus program.  Windows has a built-in firewall and most people will be using a hardware firewall at the office or home so the firewall in the "security suite" is extraneous.

• STB Sending ARP requests every 9 minutes

  IS there a particular reason that I keep getting ARP requests from the STB even though it has been assigned an IP?
  Solved!
  Go to Solution.

  So there is no way to route that correctly?
  I mean, I havent blocked any of that traffic.
  I used to use a different router with my old service and well you guys supply one.
  Since I have a new router now, I wanted to check how well the firewall was set up and if there was any automatic anti-spoofing on the router or if I had to set it up myself.
  So with feeling insecure I turned my personal Outpost firewall back on on my computer.
  Which is catching that as a spoofing attack of course.
  But now my question is, couldnt that traffic be routed appropriately?
  IT doesnt seem like a big deal, just a little messy.
  And this thread is easily applying to FIOS INTERNET more and more as we talk.
  Form what I get its the STB's looking for the DVR.
  What would happen if you blocked that info coming across the bridge or routed the info appropriately vs blocking it.
  Does it have to come across the bridge and if so why?
  Form the looks of things I could definitely keep that on the coax side of things vs having it run across the bridge.
  My comp recognizes it as spoofing but the router doesnt of course because its all behind the router.
  Maybe you could help me further or someone else in defining the design of that communication.
  Again its harmless and not a big deal its more curiosity than anything else at this point.

• Kernal message: Could not enable ARP cache poisoning detection.

  Looking at system files in Console, for another issue, I came across this kernal message, which occurs at start-up: "*Could not enable ARP cache poisoning detection. Your computer will not be protected*."
  It's an intel Mac Mini running Leopard ( 10.5.8 ). I have Norton Antivirus for Mac 11 installed (I know, I know), which has ARP cache poisoning turned on in its "vulnerability protection" prefs. I've gotten no warnings of attacks from Norton, just this Kernal message at start-up. I've seen this issue on a couple of other threads with no answer or solution (except advice to Google it... duh!), already archived and accepting no new posts... so no help there.
  Is this ARP cache poisoning detection part of the OS, and if so, why is it not being enabled? Is there a way to enable it? Could the kernal message be telling me that the Norton protection is bugged and not working, or would it be OS related. The mini is a wired connection (ethernet), and there's one other laptop (macbook 10.4.11) using the modem/router ( Actiontec GT 701-wg) via wireless airport. I haven't seen this message on the laptop in console or system logs, but haven't looked hard.
  Someone, please respond with a knowledgeable answer, for me and for others who've asked here and on other forums with no helpful public answers given.

  Doing a "erase and install" of Leopard, thus dumping Norton AV 11, and then installing Snow Leopard... I haven't seen this Kernal message come up again, yet. I'll assume it was some buggy Norton related thing that cropped up after an OS update, but who knows. I'll leave the question open for a bit, in case anyone else has had this issue and found a reason or solution, and wants to share.

• Help understanding DHCP Snooping and Dynamic ARP Inspection

  Please help me to understand DHCP Snooping and Dynamic ARP Inspection.

  HI Ezra,
  In simple words:
  DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.
  In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.
  When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.
  To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.
  DAI:
  Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html
  More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.
  Hope it helps.
  Regards
  Please use rating system and mark athe question answered it may help others.

• My mac and iPhone 6  has been hacked! foresure! Antivirus sentinel pro from apple store detected apr or arp spoofing, thereafter Antivirus protection also got hacked, I turn network monitoring on they turn off like 3 times then they close Antivirus

  my mac and iPhone 6  has been hacked! foresure! Antivirus sentinel pro from apple store detected apr or arp spoofing, thereafter Antivirus protection also got hacked, I turn network monitoring on they turn off everytime then they close Antivirus for good, also Google.com is being imitated and not showing a true certificate (apr spoofing)?.these guys r good! I erased and reinstall Yosemite changed all passwords even on the wifi...could be wifi sniffing? I got Kaspersky hoping to use virtual keyboard for passwords and Kaspersky is comprised too..the virtual keyboard doesn't work it freezes up not allowing me to enter password. So I Uninstall and reinstall Kaspersky, so now I have problem with reinstall that doesn't work, then way later that day it is reinstalled..not over yet..that virtual keyboard now pops up randomly wanting me to use password? seems like they can copy anything real fast for i have to enter info like 2 or 3 times, never had that problem before. I'm thinking about going old school with paper docs and checks..yes technology ***...too vulnerable. .on the news they said 97% of businesses are hacked! can someone help me to counter this attack? thx
  Message was edited by: technologysux

  You have not been hacked. Get rid of all that antivirus. It is just making your life harder.

• Arp broadcasts & dhcpv6 sollicits & neighbour advertisements visible

  We have a setup with 5500 controller with a couple of SSID (2 WPA2 , 1 Open).
  The 'Controller - General - Broadcast Forwarding' option is set on disabled.
  DHCP proxy is enabled.
  Multicast is also disabled.
  P2P Blocking action is Drop.
  Issue1: Arp broadcasts
  When sniffing on the encrypted SSIDs we see ARP requests for the default gateway (received by DHCP) of the clients.
  The ARP requests are coming from clients located on different accesspoints.
  When we do this on the open SSID not a single ARP request is visible. Which is as far as I understand the way it should work because proxy arp is enabled by default.
  'The WLC acts as an ARP proxy for WLAN clients by maintaining the MAC address-IP address associations. This allows the WLC to block duplicate IP address and ARP spoofing attacks. The WLC does not allow direct ARP communication between WLAN clients. This also prevents ARP spoofing attacks directed at WLAN client devices.' from http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/ch4_2_SPMb.html#wp1307340
  Is this a bug or just something about WPA2 that I don't understand ?
  Issue2: Dhcpv6 sollicits & Neighbour Advertisements
  The same issue as the Arp broadcasts is also popping up with Dhcpv6 sollicits & Neighbour Advertisements, although this is the same for the WPA2 as for the Open SSID.
  We're seeing DHCPv6 sollicits (to ff02::1:2) from clients on different AP's when sniffing.
  We're seeing Neighbour Advertisements (icmpv6 to ff02::1) from clients on different AP's when sniffing.
  Why is this forwarded ? Shouldn't this be blocked by the controller ? Also a bug ?
  Thanks,
  Wim

  I'm not a fan of "me too" posts but I'll chime in with "me too" here anyway. Thanks for this thread: for the longest time I thought I was the only one seeing this issue! Before I found this I did a lot of searching and packet capture analysis and in an effort to help anyone else dealing with it, my findings are below.
  CSCub65575 seems to still be present in 7.2.111.3 based on packet captures I did yesterday. On another WiSM2 running 7.4.100.0 I noticed that gratuitous ARP traffic is still forwarded downstream to wireless clients. That is listed as a fixed version on CSCub65575 and I'm not sure if this is intentional or not but I figured it was worth mentioning.