ARP Poisoning

Protecting your Linux box

ARP Poisoning

Postby mudasir » Thu Jan 03, 2008 5:39 am

I have been facing a problem from almost 15 days. Let me explain you what i have been facing.

My server has IP Address 10.10.10.1 (Server acting as Squid Proxy).

Now from any client when i execute this command (arp -a 10.10.10.1)

I am not getting Server's MAC Address, whenever i execute this command i get different MAC Address. I am not getting SAME Address everytime, getting differect MAC Address eveytime.

Now due to this ARP Poisoning Cleint is Breaking PING to Server and Internet stops Working.

Can you please tell me some Solutions.

I also made a script to get all the MAC Address Againt my Server's IP. I got more than 350 MAC Addresses.

How can i solve this Problem.

I searched Google regarding ARP Poisoning i found following link.

http://packetstormsecurity.org/UNIX/utilities/

on the above stated link i found this script

http://packetstormsecurity.org/UNIX/utilities/aapd.c

I dont know what i does but the description say
OpenAAPD (0.1-beta) is an Anti Arp Poisoning Daemon for OpenBSD operating system which works with or without DHCP protocol support on the LAN networks without compromising the ARP protocol performances.


Please help me out in this problem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Fri Jan 04, 2008 5:47 am

Can anyone tell me some solutions to my problem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Tue Jan 08, 2008 1:38 am

Hi,

Still looking for some solutions :cry:

DHCP Server is giving IP's. Only allowed MAC Addresses are given Class A IP Address, and MAC's which are not allowed are given a Class C IP Address.

Each MAC has its own Fixed IP Address....

Squid is being used Proxy Server, IPTABLES are being used as Firewall...TC being used to shape bandwidht on Per IP Address...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby sameer666 » Wed Jan 09, 2008 1:46 pm

use static mac, if ur server mac keeps changing

regards
Novice at heart
sameer666
Naik
 
Posts: 82
Joined: Tue Nov 06, 2007 5:31 am

Postby abakali » Thu Jan 10, 2008 10:15 am

here is a simple solution for this

make a script from your mac.addresses list collect your clients mac and ip and use static arp on your server machine e.g
10.10.10.1 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.2 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.3 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.4 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.5 xx.xx.xx.xx.xx.xx -i ethx

keep in mind when ever you restart your interface this rules are flush . then go to your client side and make a batch file and put your static entry for server ip and mac
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby mudasir » Thu Jan 10, 2008 10:22 am

AOA,

Dear Asif Bakali,

I have already made a script that Statically Enters Users IP and MAC in Server's ARP Cache Table.
The script is at
http://linuxpakistan.net/forum2x/viewto ... 7129f630dc

And have also created a EXE file that does the static IP and MAC Entry on user side. But this is something that i am not looking for.

Can you please tell me some other solutions that i can go on with.

Looking forward for your reply.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby ashariqbal » Thu Jan 10, 2008 10:36 am

To find out who is messing with the arp, you need to do basic network trouble shooting. Start unplugging wires and when your problem stops you know who it is.

The person is probably using something like ettercap to sniff your network traffic.
ashariqbal
Havaldaar
 
Posts: 105
Joined: Mon Jun 24, 2002 10:01 am
Location: Karachi

Postby mudasir » Thu Jan 10, 2008 12:16 pm

AOA,

Dear ashariqbal,

I have even tried doing this. Basically i have divided my users in Segments, and problem is coming from almost every segment. So i dont think that some user is intentionally doing this, must be some sort of adware, malware or might be a virus.

I also googled about viruses which ACT as i have stated in my post, found few, but they are detected by almost all anti-viruses.

I have also installed AntiARP which tells me which IP is trying to spoof, so by this i know that it is not just one user, many users IP's are trying to spoof, and are from all segments.

So, that is also not helping me out.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby abakali » Thu Jan 10, 2008 12:34 pm

Dear mudasir

this is a part of Layer 2 attacks to prevents this issue to manage via L2 manage switches i have tested on Cisco they are build in feature arp inspection they block this types of attack. but their is a scenario are different you are deploy this on your cable net and this solution is to expensive
i suggest you to implement any pppoe or vpn in your network
Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby ranatanveer » Thu Jan 10, 2008 1:40 pm

Event Viewer can tell that which machine is culprit, i face this problem three times at my different networks, i think it is a spyware in any host, i found that machine through event viewer and unpluge it and re-install it and problem resolved.
Regards

Rana Tanveer
+923224194457
Linux Student

For Affordable Web Development http://www.affordableprogrammers.com
http://www.qualityprogrammers.com
ranatanveer
Subedar
 
Posts: 355
Joined: Sat May 07, 2005 11:54 am
ICQ: 133032001
Website: http://www.affordableprogrammers.com
WLM: ranatanveer@gmail.com
Yahoo Messenger: ranahard@yahoo.com
Location: Lahore

Postby mudasir » Thu Jan 10, 2008 6:54 pm

AOA,

I really appreciate that you all have provided your ideas.

Basically i have implemented almost all the things, except for the L2 switches, because that is very expensive...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Fri Jan 11, 2008 12:12 pm

AOA,


I found something on INTERNET, and as i read about it i thought it might be the solution for the problem that i am facing. I thought it might be good to share this with LP Forum Members.

http://www.ltn.lv/~guntis/smarp/

It is basically SmartARP.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby azfar » Fri Jan 11, 2008 9:38 pm

this problem exist in almost all cabble network these days, do you find any server side solution for both windows/unix.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
azfar
Captain
 
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
WLM: azfarhashmi@hotmail.com
Yahoo Messenger: azfarhusain@yahoo.com
Location: Karachi

Postby mudasir » Fri Jan 11, 2008 9:46 pm

AOA,

Dear Azfar,

I have not found any Server side Solution, i will Implement this SmartARP and will let you know, wheather this works out or not.

If you find any do let me know.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby AcidEYE » Sat Jan 12, 2008 11:24 am

As Salam U Alikum,

i'm facing this problem from last 2 months and still couldnt resolve that problem, i've bought 3com 3300 switch 12 ports. this switch is also can't stop ARP Poisoning, mac address cloning is still there, and reply from server is breaking, in the end result is internet not working, this is some kind of virus, malware, torjan which is spoiling lan traffic.

please someone tell me a best solution hardware wise or software wise.

waiting for reply.

thanks & regards.
Linux Addicted
AcidEYE
Havaldaar
 
Posts: 115
Joined: Mon Feb 28, 2005 5:41 pm
WLM: a_flame@msn.com
Yahoo Messenger: acid_eye69@yahoo.com
AOL: none
Location: Lahore (Pakistan)


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron