Re: ARP spoofing attacks

• Previous message: Markus Schabel: "Re: ARP spoofing attacks"
• Maybe in reply to: Amit Agrawal: "ARP spoofing attacks"
• Next in thread: Matthias Vallentin: "Re: ARP spoofing attacks"
• Reply: Matthias Vallentin: "Re: ARP spoofing attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 18 Apr 2004 21:03:44 -0000
To: security-basics@securityfocus.com

Hi,

There is one simple preventive solution for ARP SPOOFING attacks. Use static ARP tables (arp -s).

bye.

>hi Amit,
>
>There is no real preventive solution, but you can address this issue by
>continuous monitoring. Since you are concerned with only one IP device,
>i.e. your router, it is simple work.
>
>You could use arpwatch (http://www-nrg.ee.lbl.gov/) to track changes in
>IP-to-Mac address pairings. Arpwatch can also use sendmail to email you
>the changes. Arpwatch will catch changes in ANY Mac-IP pairing, which is
>not meaningful for DHCP-allocated IP ranges. Hence, the "-n" flag will
>help you narrow the scope of the hosts you want to track.
>
>1. start up arpwatch
>2. "ping" the server and verify that the mac address on the server's NIC
>matches the mac address that your arp table is showing
>3. let arpwatch catch any changes and notify you.
>4. ???
>5. profit!!
>
>( sorry, been reading too much /. i guess! :) )
>
>I believe that the freebsd kernel has a similar tracking mechanism built
>into it (but no sendmail, kernel uses printk to notify user).
>
>Also, the "arping" utility will let you ping neighbours at the layer 2
>level i.e. specify the mac address directly, and also bypass the arp
>table since this is a layer 2 ping.
>
>HTH,
>Ranjeet.
>
>On Wed, 2004-04-14 at 16:47, David Gillett wrote:
>> The short, sharp, general answer is that you can't.
>> Layer two security measures are going to see a packet
>> (it happens to be an ARP reply) from the miscreant's
>> port, but since its source MAC address is what they
>> expect, they'll let it through. Layer three measures
>> won't see it either, because it's a unicast within the
>> same vlan/subnet and so never needs to hit a layer 3
>> device.
>>
>> About all you can do proactively, if this is a serious
>> concern, is add a static ARP table entry to every host
>> so they never need to send out an ARP request for the
>> gateway.
>>
>> David Gillett
>>
>>
>> > -----Original Message-----
>> > From: Amit Agrawal [mailto:csu02103@cse.iitd.ernet.in]
>> > Sent: Tuesday, April 13, 2004 9:22 PM
>> > To: security-basics@securityfocus.com
>> > Subject: ARP spoofing attacks
>> >
>> >
>> >
>> > Hi
>> > I have a question...How do u secure
>> > against ARP spoofing attacks...If
>> > not the whole subnet...I want to be
>> > sure that no one spoofs the IP of
>> > my gateway.
>> >
>> > Amit
>>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Markus Schabel: "Re: ARP spoofing attacks"
• Maybe in reply to: Amit Agrawal: "ARP spoofing attacks"
• Next in thread: Matthias Vallentin: "Re: ARP spoofing attacks"
• Reply: Matthias Vallentin: "Re: ARP spoofing attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]