Home page logo

basics logo Security Basics mailing list archives

Re: ARP Poisoning
From: "Chris McNab" <chris.mcnab () trustmatta com>
Date: Thu, 8 May 2003 13:26:17 +0100


Static ARP entries are not a viable solution in a dynamic environment. Sure
if you have maybe 3 servers in a DMZ, but not if you are looking to protect
workstations and servers on an internal network space. Anyway, its known
that a few operating systems (Windows, Solaris, et al) flush the ARP cache
(including static entries) periodically, and under Windows the static
entries can be overwritten using spoofed ARP replies!!

ARP has no authentication or security built into it. Due to the nature of
the protocol it is not routable, and so at least these attacks are limited
to internal network space.

Arpwatch is the only decent way to protect against this threat:


Arpwatch is a tool that monitors ethernet activity and keeps a database of
ethernet/ip address pairings. It also reports certain changes via email.


Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com

FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]