SEP如何抵御MAC欺騙

Title

What behavior to expect from Symantec Endpoint Protection client when anti-mac spoofing is enabled

Body

This is how Symantec Endpoint Protection (SEP) determines if a mac spoofing attack is in progress:

1. If the ARP packet was sent as a response to a request from the client, then SEP allows the inbound and outbound ARP traffic if an ARP request was made to that specific host. SEP blocks all other unexpected ARP traffic.

如果ARP報文是某一請求的響應，則SEP允許此兩個主機間的ARP流量。其他非此類ARP流量均攔截。這意味著，如果主機A想跟主機B通信，主機A會發一個ARP請求到主機B。如果主機A發了ARP請求，那么SEP允許此請求包之后10秒內的ARP響應包。

This means that when Computer A wants to communicate with computer B, computer A may send an ARP request to computer B. If Computer A sends an ARP request message, this client allows the corresponding ARP response message within a period of 10 seconds.

2. If there is already a cached entry for this MAC address 如果ARP緩存中已有此MAC地址的記錄

3. If the cached entry has a different IP-address then what is in the ARP packet如果緩存記錄里的IP地址跟ARP包里的IP地址不同

If the response was not requested and If the IP address is different than the cached entry.如果ARP響應包不是源于ARP請求或ARP響應包里的IP跟緩存不同

In these cases SEP will see this as a spoofing attack and block the attack.

NOTE: If there is a third party NAC product in the network with SEP (to enable anti MAC spoofing), and if the third party NAC product is using mac spoofing technology, SEP may detect packets associated with the product as a spoofing attack.

未經請求的ARP響應(免費ARP，gratuitous ARP)：

有多種原因，包括但不僅限于：

-數據包源感染病毒，即發送免費ARP報文的主機或其他設備感染病毒

-網絡環境問題

-應用程序問題

關于網絡環境或應用程序的未經請求的ARP響應

免費ARP是ARP是一種特殊的ARP報文，設備通過發送免費ARP主要實現以下功能：

- 確定其它設備的IP地址是否與本機的IP地址沖突。當其它設備收到免費ARP報文后，如果發現報文中的IP地址和自己的IP地址相同，則給發送免費ARP報文的設備返回一個ARP應答，告知該設備IP地址沖突

-設備改變了硬件地址，通過發送免費ARP報文通知其它設備更新ARP表項

如果懷疑報文源主機或設備中毒:

定位源主機，掃描病毒，參考http://www.symantec.com/docs/TECH122466以及可以啟用SEP的風險追蹤(Risk Tracer)功能來定位病毒源http://www.symantec.com/business/support/index?page=content&id=TECH94526

如果懷疑是環境或程序問題：

建議使用Wireshark來確認源。Wireshark下載http://www.wireshark.org/download.html

一般而言，如果僅是一臺機器發報文，是應用程序問題，但也不完全排除環境問題；如果源是交換機或其他設備，一般是環境問題，即設備應用免費ARP來實現某些功能。應用程序問題如果不是by design的，可能是感染病毒。