Protection against arp spoofing

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message




Joined: 01 Jan 1970
Posts:

PostPosted: Sat Oct 08, 2011 20:59    Post subject: Protection against arp spoofing Reply with quote
OK, recently, there appeared multiple hacking tools using arp spoofing. As far as I understand, it works like this: Hacker device connects to the network and starts to send fake arp packets, identifying itself as a router. So other devices start to broadcast all communication to this "fake router" - and this traffic can be dropped, or even sniffed. As far as I know, there is no protection, except https. Is there any way to fight this? For example, identify the source of those packets and kick it from the network?
Back to top View user's profile Send private message
Sponsor
zeroed
DD-WRT Novice


Joined: 24 Oct 2011
Posts: 3
PostPosted: Mon Oct 24, 2011 20:31    Post subject: Re: Protection against arp spoofing Reply with quote
You can set a static ARP entry for your router on your clients. This will prevent ARP spoofing of you router but comes with an administrative overhead.

You could also use software like arpwatch that monitors your network for suspicious ARP traffic. It is fairly hard to block attackers, since there are no way of detect a spoofed Ethernet frame from a legitimate one, unless you are keeping state of all ARP communications.

You can block the switch ports that you detect MAC address changes from, but this may cause denial of service conditions in some network setups. This feature is sometimes called "port security".

/ Jonas
Back to top View user's profile Send private message




Joined: 01 Jan 1970
Posts:

PostPosted: Sun Jan 01, 2012 16:35    Post subject: Reply with quote
OK, thanks for your answers (I have been awway for some time).

So:
Quote:
You can set a static ARP entry for your router on your clients. This will prevent ARP spoofing of you router but comes with an administrative overhead.

I'm aware of this solution, but it is nearly impossible in bigger networks.

Quote:
You could also use software like arpwatch that monitors your network for suspicious ARP traffic. It is fairly hard to block attackers, since there are no way of detect a spoofed Ethernet frame from a legitimate one, unless you are keeping state of all ARP communications.

Should try that...

Quote:
Just to be precise, https does NOT provide protection against ARP poisoning/spoofing, per se. https occurs at the TCP/IP level, while ARP spoofing/poisoning occurs below, at the Ethernet level. Protection is provided only in the sense that once spoofed, the TCP/IP payload is encrypted and therefore relatively useless to the hacker. But the spoofing is never stopped. It's only a means of damage control. The hacker could still use spoofing to engage in other forms of mischief (e.g., DOS attacks).

Yeah, I know that, but it at least partially does the job. But not all sites offer https and, as you said, it is only damage control, not a solution.

There is a thing called arptables, basically an arp firewall. Trying to get it running, but I had little success so far.
Back to top View user's profile Send private message




Joined: 01 Jan 1970
Posts:

PostPosted: Wed Dec 12, 2012 21:48    Post subject: Reply with quote
So, any development since?
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum