Security Basics mailing list archives
Re: ARP spoofing attacks
From: DownBload <downbload () hotmail com>
Date: 18 Apr 2004 21:03:44 -0000
In-Reply-To: <1082072190.19308.22.camel () ranjeet-pc2 zultys com> Hi, There is one simple preventive solution for ARP SPOOFING attacks. Use static ARP tables (arp -s). bye.
hi Amit, There is no real preventive solution, but you can address this issue by continuous monitoring. Since you are concerned with only one IP device, i.e. your router, it is simple work. You could use arpwatch (http://www-nrg.ee.lbl.gov/) to track changes in IP-to-Mac address pairings. Arpwatch can also use sendmail to email you the changes. Arpwatch will catch changes in ANY Mac-IP pairing, which is not meaningful for DHCP-allocated IP ranges. Hence, the "-n" flag will help you narrow the scope of the hosts you want to track. 1. start up arpwatch 2. "ping" the server and verify that the mac address on the server's NIC matches the mac address that your arp table is showing 3. let arpwatch catch any changes and notify you. 4. ??? 5. profit!! ( sorry, been reading too much /. i guess! :) ) I believe that the freebsd kernel has a similar tracking mechanism built into it (but no sendmail, kernel uses printk to notify user). Also, the "arping" utility will let you ping neighbours at the layer 2 level i.e. specify the mac address directly, and also bypass the arp table since this is a layer 2 ping. HTH, Ranjeet. On Wed, 2004-04-14 at 16:47, David Gillett wrote:The short, sharp, general answer is that you can't. Layer two security measures are going to see a packet (it happens to be an ARP reply) from the miscreant's port, but since its source MAC address is what they expect, they'll let it through. Layer three measures won't see it either, because it's a unicast within the same vlan/subnet and so never needs to hit a layer 3 device. About all you can do proactively, if this is a serious concern, is add a static ARP table entry to every host so they never need to send out an ARP request for the gateway. David Gillett-----Original Message----- From: Amit Agrawal [mailto:csu02103 () cse iitd ernet in] Sent: Tuesday, April 13, 2004 9:22 PM To: security-basics () securityfocus com Subject: ARP spoofing attacks Hi I have a question...How do u secure against ARP spoofing attacks...If not the whole subnet...I want to be sure that no one spoofs the IP of my gateway. Amit
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: ARP spoofing attacks DownBload (Apr 19)
- Re: ARP spoofing attacks Matthias Vallentin (Apr 19)