Posted: Sat Oct 08, 2011 20:59 Post subject: Protection against arp spoofing
OK, recently, there appeared multiple hacking tools using arp spoofing. As far as I understand, it works like this: Hacker device connects to the network and starts to send fake arp packets, identifying itself as a router. So other devices start to broadcast all communication to this "fake router" - and this traffic can be dropped, or even sniffed. As far as I know, there is no protection, except https. Is there any way to fight this? For example, identify the source of those packets and kick it from the network?
Posted: Mon Oct 24, 2011 20:31 Post subject: Re: Protection against arp spoofing
You can set a static ARP entry for your router on your clients. This will prevent ARP spoofing of you router but comes with an administrative overhead.
You could also use software like arpwatch that monitors your network for suspicious ARP traffic. It is fairly hard to block attackers, since there are no way of detect a spoofed Ethernet frame from a legitimate one, unless you are keeping state of all ARP communications.
You can block the switch ports that you detect MAC address changes from, but this may cause denial of service conditions in some network setups. This feature is sometimes called "port security".
OK, thanks for your answers (I have been awway for some time).
So:
Quote:
You can set a static ARP entry for your router on your clients. This will prevent ARP spoofing of you router but comes with an administrative overhead.
I'm aware of this solution, but it is nearly impossible in bigger networks.
Quote:
You could also use software like arpwatch that monitors your network for suspicious ARP traffic. It is fairly hard to block attackers, since there are no way of detect a spoofed Ethernet frame from a legitimate one, unless you are keeping state of all ARP communications.
Should try that...
Quote:
Just to be precise, https does NOT provide protection against ARP poisoning/spoofing, per se. https occurs at the TCP/IP level, while ARP spoofing/poisoning occurs below, at the Ethernet level. Protection is provided only in the sense that once spoofed, the TCP/IP payload is encrypted and therefore relatively useless to the hacker. But the spoofing is never stopped. It's only a means of damage control. The hacker could still use spoofing to engage in other forms of mischief (e.g., DOS attacks).
Yeah, I know that, but it at least partially does the job. But not all sites offer https and, as you said, it is only damage control, not a solution.
There is a thing called arptables, basically an arp firewall. Trying to get it running, but I had little success so far.