Re: ARP spoofing attacks

[DownBload <downbload () hotmail com>]

In-Reply-To: <1082072190.19308.22.camel () ranjeet-pc2 zultys com>

Hi,

There is one simple preventive solution for ARP SPOOFING attacks. Use static ARP tables (arp -s).

bye. 

> hi Amit,
>
> There is no real preventive solution, but you can address this issue by
> continuous monitoring. Since you are concerned with only one IP device,
> i.e. your router, it is simple work.
>
> You could use arpwatch (http://www-nrg.ee.lbl.gov/) to track changes in
> IP-to-Mac address pairings. Arpwatch can also use sendmail to email you
> the changes. Arpwatch will catch changes in ANY Mac-IP pairing, which is
> not meaningful for DHCP-allocated IP ranges. Hence, the "-n" flag will
> help you narrow the scope of the hosts you want to track.
>
> 1. start up arpwatch
> 2. "ping" the server and verify that the mac address on the server's NIC
> matches the mac address that your arp table is showing
> 3. let arpwatch catch any changes and notify you.
> 4. ???
> 5. profit!!
>
> ( sorry, been reading too much /. i guess! :) )
>
> I believe that the freebsd kernel has a similar tracking mechanism built
> into it (but no sendmail, kernel uses printk to notify user).
>
> Also, the "arping" utility will let you ping neighbours at the layer 2
> level i.e. specify the mac address directly, and also bypass the arp
> table since this is a layer 2 ping.
>
> HTH,
> Ranjeet.
>
> On Wed, 2004-04-14 at 16:47, David Gillett wrote:
> >   The short, sharp, general answer is that you can't.
> > Layer two security measures are going to see a packet
> > (it happens to be an ARP reply) from the miscreant's 
> > port, but since its source MAC address is what they 
> > expect, they'll let it through.  Layer three measures
> > won't see it either, because it's a unicast within the 
> > same vlan/subnet and so never needs to hit a layer 3
> > device.
> >
> >   About all you can do proactively, if this is a serious
> > concern, is add a static ARP table entry to every host 
> > so they never need to send out an ARP request for the
> > gateway.
> >
> > David Gillett
> >
> >
> > > -----Original Message-----
> > > From: Amit Agrawal [mailto:csu02103 () cse iitd ernet in]
> > > Sent: Tuesday, April 13, 2004 9:22 PM
> > > To: security-basics () securityfocus com
> > > Subject: ARP spoofing attacks
> > >
> > >
> > >
> > > Hi
> > >  I have a question...How do u secure
> > >  against ARP spoofing attacks...If
> > >  not the whole subnet...I want to be
> > >  sure that no one spoofs the IP of
> > >  my gateway.
> > >  
> > > Amit

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------