ARP Poisoning

Protecting your Linux box
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

It is basically a Virus, for now i have not been able to find any solution that can be implemented on Server.

Still searching for such solution.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Azfar,

I have installed this AntiARP on almost all of my users PC's. So for now i am a bit tension free, but i still want to find a permanent solution for this problem.

About Anti-Virus, for me Symantec Corporate Server and Client Combination is working perfectly.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
AcidEYE
Havaldaar
Posts: 115
Joined: Mon Feb 28, 2005 5:41 pm
Location: Lahore (Pakistan)
Contact:

Post by AcidEYE »

As Salam U Alikum,

clients are already scanned, formated their hards, partion are recreated. but after 1 week this problem start again.
Linux Addicted
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Azfar do onething, create a EXE or a CMD file that will perform the following functions

arp -d <SERVER_IP_ADDRESS>
arp -s <SERVER_IP_ADDRESS> <SERVER_MAC_ADDRESS>

And copy this t the startup folders of users. This can help you out, even if the Virus strikes again.

How ever this is also not a permanent Solution.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
azfar
Captain
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
Location: Karachi
Contact:

Post by azfar »

AcidEYE wrote:As Salam U Alikum,

clients are already scanned, formated their hards, partion are recreated. but after 1 week this problem start again.
This will be the result of lack of maintenance.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Any time....

I have found few things regarding ARP Poisoning, that have to be installed on Server.

As soon as i test those Apps i will let every one know wheather they work or not.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Post by abakali »

Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Asif Bakali,

I know about what ARP Spoofing / Poisoning is and how it works, i have read more than 50 papers regarding this topic, but i am unable to fine any good Solution that can be implemented on just 1 PC on a network that can solve or atleast minimize the problem.

Thanks for the information.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
torvalds
Lance Naik
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
Location: Pakistan
Contact:

Solution is there but ...

Post by torvalds »

To whom it may concern,

I'm recently assigned to bring a solution of ethernet's blessing of ARP spoofing (poisoning).What i found is,With many of the cisco switches arp poisoning can be stoped by ARP information monitoring feature, but for others??? static ARP tables is the solution of ARP Poisoning, thus disabling dynamic ARP protocol caching on server and on client as well, which prevents ARP Poisoning. The packets can be blocked by personal & router firewalls. Fancy, but possible.
ARP watch is a good utility on linux platform u can try this. Being on the ethernet its is nearly impossible to avoid the arp without having proprietary solutions like cisco etc.

For many of the cable internet people static arp is the best solution. On the server end bind the IP to the mac of every user.This will increase security and perfomance.
A solution given by a user of governmentsecurity.org is that "Static ARPs + Correct use and location of network IDS's (Snort / Checkmate) + Static ARPs via login scripts to keep up-to-date + Subnetting the lans more (even via VLANs) + *Considering the use of IPv6 and other* + CORRECT Encryption of the protocols will allow even arp poisoned traffic to become useless"
Very fancy........

Regards

Torvalds
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear torvalds,

After all these posts that have been made in this topic, you posted only to tell that making static ARP entries is good.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
torvalds
Lance Naik
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
Location: Pakistan
Contact:

No doubt Freak

Post by torvalds »

AOA
Freak! you are right figuratively. Actually yar ARP causing a big trouble in other words "logo ki rozi pe lat lag rhe hai ;)". Must have some solution for example somthing embeded withing the lan card. I'm thinking on it, think have to recall my assembly memories lets see what happens.

Regards

Torvalds
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
torvalds
Lance Naik
Posts: 25
Joined: Fri Oct 08, 2004 9:15 pm
Location: Pakistan
Contact:

not to freak its @ mudasir

Post by torvalds »

not to freak its @ mudasir
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear torvalds,

One can integrate some code in LAN card just need to edit the DRIVER made for the particular make, and have to make an APP that will regulalry broadcast SERVER's MAC Againt SERVER's IP (ARP Protocol). It is possible, nothing is impossible.

But after all this, just making static entries :( .
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Hi Guys,

I have finish designing the Linux box as I promise!! which will help to STOP Arp Spoofing or MAC spoofing attack in a way that an attacker will not see any traffic if he tries to sniff any packets from the switch networks. So Privacy is there, Data Leakage protection is there.

Any one interested let me know I will setup the proof of concept

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

I appreciate if interested guys send me private message to discuss the proof of concept

Some one just ask me that he feels that I am only discussing the ARP Poisoning, NO I am talking about the solution that I have designed

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
Post Reply