Home page logo
/

basics logo Security Basics mailing list archives

Re: ARP spoofing attacks
From: Matthias Vallentin <x () pi-cubiq de>
Date: Mon, 19 Apr 2004 21:18:34 +0200

* DownBload <downbload () hotmail com> [18 Apr 2004 21:03:44 -0000]:

In-Reply-To: <1082072190.19308.22.camel () ranjeet-pc2 zultys com>

Hi,

There is one simple preventive solution for ARP SPOOFING attacks. Use static ARP tables (arp -s).

bye. 
static arp entries only work imho with an unix-based os. windows machines seem to ignore a static arp entry (spoofing 
is still possible!). so a permanent mac-to-ip-binding can only prevent in an unix enviroment.


hi Amit,

There is no real preventive solution, but you can address this issue by
continuous monitoring. Since you are concerned with only one IP device,
i.e. your router, it is simple work.

You could use arpwatch (http://www-nrg.ee.lbl.gov/) to track changes in
IP-to-Mac address pairings. Arpwatch can also use sendmail to email you
the changes. Arpwatch will catch changes in ANY Mac-IP pairing, which is
not meaningful for DHCP-allocated IP ranges. Hence, the "-n" flag will
help you narrow the scope of the hosts you want to track.

1. start up arpwatch
2. "ping" the server and verify that the mac address on the server's NIC
matches the mac address that your arp table is showing
3. let arpwatch catch any changes and notify you.
4. ???
5. profit!!

( sorry, been reading too much /. i guess! :) )

I believe that the freebsd kernel has a similar tracking mechanism built
into it (but no sendmail, kernel uses printk to notify user).

Also, the "arping" utility will let you ping neighbours at the layer 2
level i.e. specify the mac address directly, and also bypass the arp
table since this is a layer 2 ping.

HTH,
Ranjeet.

On Wed, 2004-04-14 at 16:47, David Gillett wrote:
  The short, sharp, general answer is that you can't.
Layer two security measures are going to see a packet
(it happens to be an ARP reply) from the miscreant's 
port, but since its source MAC address is what they 
expect, they'll let it through.  Layer three measures
won't see it either, because it's a unicast within the 
same vlan/subnet and so never needs to hit a layer 3
device.

  About all you can do proactively, if this is a serious
concern, is add a static ARP table entry to every host 
so they never need to send out an ARP request for the
gateway.

David Gillett


-----Original Message-----
From: Amit Agrawal [mailto:csu02103 () cse iitd ernet in]
Sent: Tuesday, April 13, 2004 9:22 PM
To: security-basics () securityfocus com
Subject: ARP spoofing attacks



Hi
 I have a question...How do u secure
 against ARP spoofing attacks...If
 not the whole subnet...I want to be
 sure that no one spoofs the IP of
 my gateway.
 
Amit


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault