ARP Poisoning

Protecting your Linux box

Postby mudasir » Sat Jan 12, 2008 11:30 am

AOA,

It is basically a Virus, for now i have not been able to find any solution that can be implemented on Server.

Still searching for such solution.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Sat Jan 12, 2008 1:06 pm

AOA,

Dear Azfar,

I have installed this AntiARP on almost all of my users PC's. So for now i am a bit tension free, but i still want to find a permanent solution for this problem.

About Anti-Virus, for me Symantec Corporate Server and Client Combination is working perfectly.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby AcidEYE » Sat Jan 12, 2008 1:08 pm

As Salam U Alikum,

clients are already scanned, formated their hards, partion are recreated. but after 1 week this problem start again.
Linux Addicted
AcidEYE
Havaldaar
 
Posts: 115
Joined: Mon Feb 28, 2005 5:41 pm
WLM: a_flame@msn.com
Yahoo Messenger: acid_eye69@yahoo.com
AOL: none
Location: Lahore (Pakistan)

Postby mudasir » Sat Jan 12, 2008 1:10 pm

AOA,

Dear Azfar do onething, create a EXE or a CMD file that will perform the following functions

arp -d <SERVER_IP_ADDRESS>
arp -s <SERVER_IP_ADDRESS> <SERVER_MAC_ADDRESS>

And copy this t the startup folders of users. This can help you out, even if the Virus strikes again.

How ever this is also not a permanent Solution.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby azfar » Sat Jan 12, 2008 2:02 pm

AcidEYE wrote:As Salam U Alikum,

clients are already scanned, formated their hards, partion are recreated. but after 1 week this problem start again.


This will be the result of lack of maintenance.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
azfar
Captain
 
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
WLM: azfarhashmi@hotmail.com
Yahoo Messenger: azfarhusain@yahoo.com
Location: Karachi

Postby mudasir » Sat Jan 12, 2008 2:04 pm

AOA,

Any time....

I have found few things regarding ARP Poisoning, that have to be installed on Server.

As soon as i test those Apps i will let every one know wheather they work or not.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby abakali » Wed Jan 16, 2008 12:25 am

Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby mudasir » Wed Jan 16, 2008 2:05 am

AOA,

Dear Asif Bakali,

I know about what ARP Spoofing / Poisoning is and how it works, i have read more than 50 papers regarding this topic, but i am unable to fine any good Solution that can be implemented on just 1 PC on a network that can solve or atleast minimize the problem.

Thanks for the information.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Solution is there but ...

Postby torvalds » Sun Feb 17, 2008 3:02 pm

To whom it may concern,

I'm recently assigned to bring a solution of ethernet's blessing of ARP spoofing (poisoning).What i found is,With many of the cisco switches arp poisoning can be stoped by ARP information monitoring feature, but for others??? static ARP tables is the solution of ARP Poisoning, thus disabling dynamic ARP protocol caching on server and on client as well, which prevents ARP Poisoning. The packets can be blocked by personal & router firewalls. Fancy, but possible.
ARP watch is a good utility on linux platform u can try this. Being on the ethernet its is nearly impossible to avoid the arp without having proprietary solutions like cisco etc.

For many of the cable internet people static arp is the best solution. On the server end bind the IP to the mac of every user.This will increase security and perfomance.
A solution given by a user of governmentsecurity.org is that "Static ARPs + Correct use and location of network IDS's (Snort / Checkmate) + Static ARPs via login scripts to keep up-to-date + Subnetting the lans more (even via VLANs) + *Considering the use of IPv6 and other* + CORRECT Encryption of the protocols will allow even arp poisoned traffic to become useless"
Very fancy........

Regards

Torvalds
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
torvalds
Lance Naik
 
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
WLM: faisalusuf@msn.com
Yahoo Messenger: faisalusuf
Location: Pakistan

Postby mudasir » Sun Feb 17, 2008 6:40 pm

AOA,

Dear torvalds,

After all these posts that have been made in this topic, you posted only to tell that making static ARP entries is good.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

No doubt Freak

Postby torvalds » Mon Feb 18, 2008 2:06 pm

AOA
Freak! you are right figuratively. Actually yar ARP causing a big trouble in other words "logo ki rozi pe lat lag rhe hai ;)". Must have some solution for example somthing embeded withing the lan card. I'm thinking on it, think have to recall my assembly memories lets see what happens.

Regards

Torvalds
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
torvalds
Lance Naik
 
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
WLM: faisalusuf@msn.com
Yahoo Messenger: faisalusuf
Location: Pakistan

not to freak its @ mudasir

Postby torvalds » Mon Feb 18, 2008 2:55 pm

not to freak its @ mudasir
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
torvalds
Lance Naik
 
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
WLM: faisalusuf@msn.com
Yahoo Messenger: faisalusuf
Location: Pakistan

Postby mudasir » Mon Feb 18, 2008 5:15 pm

AOA,

Dear torvalds,

One can integrate some code in LAN card just need to edit the DRIVER made for the particular make, and have to make an APP that will regulalry broadcast SERVER's MAC Againt SERVER's IP (ARP Protocol). It is possible, nothing is impossible.

But after all this, just making static entries :( .
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby securitykid » Thu Mar 13, 2008 11:53 am

Hi Guys,

I have finish designing the Linux box as I promise!! which will help to STOP Arp Spoofing or MAC spoofing attack in a way that an attacker will not see any traffic if he tries to sniff any packets from the switch networks. So Privacy is there, Data Leakage protection is there.

Any one interested let me know I will setup the proof of concept

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby securitykid » Thu Mar 13, 2008 11:54 am

I appreciate if interested guys send me private message to discuss the proof of concept

Some one just ask me that he feels that I am only discussing the ARP Poisoning, NO I am talking about the solution that I have designed

Thanks
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 3 guests

cron