# arp spoofing

## b0nafide

Oh great. A security researcher pointed out to me that my gentoo-based router is vulnerable to arp spoofing. Then he took off without suggesting preventative measures. Doh! 

So I read that some APs have a 'client isolation' mode where wireless clients are disallowed from talking to each other; this prevents the man in the middle attack. However I'm not sure how to implement this on gentoo. 

Then there's static arp tables, which are impractical in this case. Setting a static arp entry for the gateway anyway might be a good idea?? 

Is there a package I can emerge to detect arp spoofing in progress (say two IPs with the same MAC) ??

----------

## xibo

Same MAC different Internet Addresses is easy to detect ( i.e. just read a regularily accessed host's (ie router's) /proc/net/arp via cron-job or if they're hiding behind nat read the nat-ter's arptables via snmp ), and a poor man-in-the-middle attack. A good one would use the same mac and inet address combination as his victim.

arpwatch ( net-analyzer/arpwatch ) might help a bit, but it's not teeeh tool to rely on. it's detections can be trusted but it won't detect everything, i.e. someone modifying his mac and inet address to a present combination in your network while being outside of it, and then reconnecting will not be caught ( unless he's stupid and makes a "this-is-my-computer-name" broadcast made by windows os and dhcp clients or something like that )

You might be able to have your access point detect the MAC-modification, depending on how good it's security features are. I wouldn't expect it to be possible with any access points i've seen yet though, it's a feature i know from switches for cabled networks.

Static MACs aren't that bad. If you can use static-address autoconfiguration you can generate static arp tables content, in the worst case by sedding you dhcpd.conf. If you use dynamic-address autoconfiguration you should try to either run some script which sets up the corresponding arp entry each time an address is requested ( DHCPv6 servers can do that, but i'm not aware of DHCPv4 though i only ever used the isc's dhcpv4 server ), or use some sniffer that sniffs on your dhcp servers reply.

I use static autoconfiguration and static arp, though my clients are in a 'database' and at each modification a programm regenerates the dhcpd.conf and /etc/ethers and reloads both, together with iptables to validate people are using the addresses i want them to ( i.e. combining iptables --source and --source-mac and dropping all that don't match in the end ).

----------

## richard.scott

what about running arpwatch on your system?

or changing your DHCP so you only offer out a smaller network range per client i.e. /30 has only 4 ip's per delegation.

Rich.

----------

## b0nafide

Thanks for all the good info. I'll check out arpwatch. 

... using the info from DHCP is a great idea!

Here's a guy who modified openwrt to prevent arp spoofing: 

http://docs.google.com/viewer?a=v&q=cache:TA6HWxbRkycJ:citeseerx.ist.psu.edu/viewdoc/download%3Fdoi%3D10.1.1.134.6856%26rep%3Drep1%26type%3Dpdf+preventing+arp+spoofing+%2Bopenwrt&hl=en&gl=ca&pid=bl&srcid=ADGEESgIvJxzC5Zfmu4Vel7Ztzfh_kEkl4FeqNrP8saZgx2CeTs8XtxThEHf9tuUVYoSUg3ASIqoOEetl4goJ4OcsQ_XS6TSEBDbrEFd-LU37zYOcCv0mIeHmmQTCHXEMk4Uvsd-F0lz&sig=AHIEtbQzY3oSU4P8XOZ3uCF4TQBVnlgqDw

From the document: 

 *Quote:*   

> The DHCP ACK message contains
> 
> the client’s MAC address and IP address. Every packet that reaches the Access
> 
> Point should be scanned for a DHCP ACK message. Whenever a DHCP ACK
> ...

 

^This guy is using Ebtables to parse the Layer 2 header of every packet passing via the bridge. 

I have much to learn. But at least now I've got some idea of how to proceed. Thanks.

Edit: I just discovered ArpOn http://arpon.sourceforge.net/ ... but ArpOn is not a gentoo package, I must compile from source.

----------

## mack1

There are also arptables and ebtables  (for building a brouter  :Very Happy:  ) that could help:

http://en.wikipedia.org/wiki/Arptables

http://ebtables.sourceforge.net/

Cheers

----------

## b0nafide

For testing, I setup an old laptop as an attacker. I tried to perform the MiTM arp-spoofing attack with ettercap. I could see changes to my 'victim' laptop's arp table, indeed, it believed it's gateway was the attacker's MAC. 

I slapped this into my router: 

```

arptables -F

arptables -X

arptables -P INPUT ACCEPT

arptables -P OUTPUT ACCEPT

arptables -A INPUT -s 192.168.1.1 ! --source-mac 00:12:34:56:78:90 -j DROP

```

...where 00:12:34:56:78:90 is the MAC of the NIC assigned to 192.168.1.1 (the gateway)

Even with my arptables rules the victim's laptop still thinks the gateway belongs to the attacker after arp spoofing, and thus browsing the internet breaks for the victim. So although I might be able to avoid a MiTM attack this way, it's still DoS. 

AP isolation is what I'm after. I flashed dd-wrt to an AP because it has support for AP isolation. When it is enabled the attacking machine can only see the gateway and the attacks are prevented. I think HostAPD has support for this too. 

I feel a bit safer now.

----------

