Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-09-2006, 01:56 AM
|
#1
|
Member
Registered: Feb 2003
Posts: 149
Rep:
|
"Arp spoofing"
How can I prevent it with iptables and how can I see if my computers are doing this ?
|
|
|
02-09-2006, 08:32 AM
|
#2
|
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515
Rep:
|
ARP or Address Resolution Protocol, is used to translate IP addresses to MAC addresses on a local network.
I'm not sure iptables (= packet filtering based on TCP/IP packet headers mostly) can do that trick, since that
seems to work at a higher level in the TCP/IP stack.
But then again, I maybe wrong. My experience with TCP/IP network stacks is already getting old...
|
|
|
02-09-2006, 10:04 AM
|
#3
|
Member
Registered: Sep 2002
Posts: 310
Rep: 
|
|
|
|
02-09-2006, 11:10 AM
|
#4
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
AFAIK you can't completely defend against arp spoofing
It is inherent to the unauthentication on Layer2 of OSI systems.
You need an encrypted layer 2 mechanism (I don't know such) or tunnel everything in encrypted IP datagrams. IPSec for DNS, HTTP,...
As a tool for monitoring MAC changes and detect some possible arp spoofing, have a look at arpwatch.
Arptables can also help you.
For sensitive server, disable arp on interfaces (ifconfig eth0 -arp) and use static arp tables.

|
|
|
02-09-2006, 06:08 PM
|
#5
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
To stop ARP poisoning use network switches with MAC (to port) binding features.
EDIT: and I believe the word "spoofing" is being used incorrectly here. The MAC address IS being "spoofed"/impersonated, but ARP (the cache) is being "poisoned".
Sorry for being a stickler but I got to get this stuff straight for my Security+ test. 
Last edited by Crito; 02-09-2006 at 06:38 PM.
|
|
|
02-10-2006, 01:10 PM
|
#6
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
Do you have a "local" network that you are worried about? Being layer 2 and all, MAC addresses can't be futzed with by say hackers from The Internet unless a node on your LAN has been comprimised. If you have a small enough network, you could just turn ARP off on all the nodes and set up static ARP tables. Not a fun task on even a tiny network.
Either way, lots of good information here already, definitly read the links int0x80 posted and if you have an immediate concern, maybe give some details on what is happening to make you suspect. If you are just concerned then read up so you can decide whether this is a real threat to your network, or just something you read about and now have fear of the unknown. I would say it's a pretty low risk on a wired LAN, the exception being the more freedom the users there have (Live CDs, can install software, physical access to network devices) and a little higher risk on a wireless network.
Oh yea, I belive Crito is correct, the accurate terms would be "MAC spoofing" and "ARP table poisoning"
Last edited by Darin; 02-10-2006 at 01:13 PM.
|
|
|
02-10-2006, 02:03 PM
|
#7
|
Member
Registered: Sep 2002
Posts: 310
Rep: 
|
On wireless LANs you can futz with the MAC addresses (nice term Darin  ). If you do have a wireless network, this is something to consider. But as Darin recommended, on a small, wired network you could potentially use static ARP tables.
|
|
|
02-10-2006, 02:18 PM
|
#8
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
Well, you can easily mess with the MAC address on a wired LAN also. MAC spoofing is just one of the key tools used to "hack" a wireless network and you don't need physical access to get on a wireless network, you just have to be in range of the WAP.
|
|
|
02-11-2006, 04:10 AM
|
#9
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
If you really want to figure out how it's done, there's no replacement for actually doing it yourself.  Download the Linux program "Hunt" and give it a try.
Just noticed the Hunt homepage is down (was going to link to it)... guess someone got upset about it.  anyway, I found Fedora Core 4 RPMs somewhere (don;'t remember ATM) and just found this page that might help track it down: http://linux.maruhn.com/sec/hunt.html
USE ON YOUR OWN COMPUTERS ON YOUR OWN LAN AND AT YOUR OWN RISK (OR DON'T USE IT AT ALL.)
Last edited by Crito; 02-11-2006 at 04:32 AM.
|
|
|
All times are GMT -5. The time now is 06:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|