You might be asking, “So what if arpspoof is flooding
the network with ARP reply messages?” Well, some operating systems record the
information they see in an ARP reply, even if they did not send an initial ARP
request.
The reason operating systems do this is to cut down on the level
of ARP traffic on your network. If your operating system did not use this
opportunistic ARP caching, then each host would have to send their own ARP
packets to discover other machines. Rather than flood the LAN with redundant
traffic, many operating systems cache that information inside their own ARP
table when they see an ARP reply. By sending ARP Reply messages for all IP
addresses with your interface as the destination
MAC, arpspoof is able to redirect traffic to its own sniffing
interface.
Fighting effectively against ARP poisoning with
efficiency is not an easy task because the ARP protocol provides no ability to
establish the authenticity of the source of incoming packets.
Here are some ways to protect your machines against arp spoofing.
1. STATIC ARP
|
2. SURVEILLANCE TOOLS
|
3. PORT SECURITY
|
4. CONCLUSION
|
Static ARPing means that you manually configure IP to MAC mappings.
C:\Documents and
Settings\administrator>arp -s
192.168.1.1 11-22-33-44-11-11
|
See your ARP cache table:
C:\Documents and
Settings\administrator>arp -a
|
Interface : 192.168.1.2 --- 0x2
Internet Address
192.168.1.1 192.168.1.100 |
Physical Address
11-22-33-44-11-11 11-22-33-44-99-99 |
Type
static dynamic |
#arp -s 192.168.1.1
11:22:33:44:11:11
|
See your ARP cache table:
#arp
|
Address
192.168.1.1 |
HWtype
ether |
HWaddress
11:22:33:44:11:11 |
Flags Mask
CM |
Iface
eth0 |
router#configure terminal
router(config)#arp 192.168.1.2 1122.3344.5566 ARPA |
The creation of static IP-MAC address mappings will
prevent ARP poisoning but has two big disadvantages:
-
- |
This will generate a lot of extra
work for the administrator and is not applicable in an environment where the users
have to move with their laptops.
This will not prevent other types of ARP attacks such as port stealing. |
Arpwatch is a tool to monitor the ARP activity on a network and particularly when a change occurrs in the MAC address - IP address associations. For this reason, it can be helpful to detect ARP attacks such as ARP spoofing and can alert the administrator by mail in case of suspicious ARP activities (referred to as a flip-flop in Arpwatch).
#apt-get install arpwatch
|
By default, Arpwatch sends its logs in the /var/log/syslog file,
you can use the "tail /var/log/syslog" command to check the logs in
real time.
The configuration is stored in the /etc/arpwatch.conf file.
Ettercap
Install Ettercap in graphical mode.
The configuration is stored in the /etc/arpwatch.conf file.
Install Ettercap in graphical mode.
#apt-get install ettercap-gtk
|
Launch Ettercap in graphical mode.
#ettercap -G
|
Sniff -> Unified sniffing...
|
Plugins -> Manage
the plugins
|
Click on the arp_corp plugin to activate it.
Start -> Start Sniffing
|
A Intrusion Detection System such as the Snort IDS can detect ARP abnormal activities and send a mail to inform the administrator.
Port-security is security functionality available on some high-end switches.
It will allow only devices with certain MAC addresses to connect
to the switch ports, and in case a machine is not authorized, the switch can
take actions such as alerting the administrator with a SNMP trap or shutting
down the faulty port immediately.
Below is an example with a Cisco switch where its first port (FastEthernet 0/1) is configured with port-security.
Below is an example with a Cisco switch where its first port (FastEthernet 0/1) is configured with port-security.
The switch port will accept only one unique
MAC address and this MAC address will be the first seen by
the switch port (sticky keyword). If the switch port sees another
MAC address on its first port it will immediately it shut down the
port.
Switch# configure terminal
Switch(config)# interface FastEthernet 0/1 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security violation shutdown |
Switch# show port-security
|
Secure
Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa1/0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa1/0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272
Switch# show port-security
interface FastEthernet 0/1
|
Port Security
Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count |
:
: : : : : : : : : : : |
Enabled
Secure-up Shutdown 0 mins Absolute Disabled 1 1 0 1 1122.3344.5566:1 0 |
Switch#show
port-security address
|
Secure
Mac Address Table
----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 1122.3344.5566 SecureSticky Fa0/1 -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272
We unplug our
current device (MAC: 1122.3344.5566) and plug another device (MAC:
1122.3344.9999). As seen below, the switch will shut down its first port and
put it in the err-disabled status.
----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 1122.3344.5566 SecureSticky Fa0/1 -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272
Switch# show port-security
interface FastEthernet 0/1
|
Port Security
Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count |
:
: : : : : : : : : : : |
Enabled
Secure-down Shutdown 0 mins Absolute Disabled 1 1 0 1 1122.3344.9999:1 0 |
Switch#show logging
|
00:06:28:
00:06:28 00:06:29: 00:06:30: |
%PM-4-ERR_DISABLE:
psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable
state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MACaddress 1122.3344.9999 on port FastEthernet0/1. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down |
Switch#show interfaces status |
include 0/1
|
Port
------- Fa0/1 |
Name
------------------ |
Status
------------ err-disabled |
Vlan
-------- 1 |
Duplex
------ auto |
Speed
------- auto |
Type
---- 10/100BaseTX |
Switch# configure terminal
Switch(config)# interface FastEthernet 0/1 Switch(config-if)# shutdown Switch(config-if)# no shutdown |
The port-security activation will not prevent ARP spoofing but the
possibility for the pirate to get connected to the network.
The suggestions below provide help by either preventing the pirate from connecting to the network or by checking your network.
·
Network
restriction with port security
·
802.1x protocol where a machine is authorized on
the network only if it is accepted by an authentication server such as a
RADIUS.
|
No hay comentarios:
Publicar un comentario