LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-09-2006, 12:56 AM   #1
muppski
Member
 
Registered: Feb 2003
Posts: 149

Rep: Reputation: 15
"Arp spoofing"


How can I prevent it with iptables and how can I see if my computers are doing this ?
 
Old 02-09-2006, 07:32 AM   #2
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
ARP or Address Resolution Protocol, is used to translate IP addresses to MAC addresses on a local network.
I'm not sure iptables (= packet filtering based on TCP/IP packet headers mostly) can do that trick, since that
seems to work at a higher level in the TCP/IP stack.

But then again, I maybe wrong. My experience with TCP/IP network stacks is already getting old...
 
Old 02-09-2006, 09:04 AM   #3
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
You would actually want to use arptables.

https://www.linux-magazine.com/issue...irewalling.pdf (page 28)
http://linuxcommand.org/man_pages/arptables8.html
http://ebtables.sourceforge.net/
 
Old 02-09-2006, 10:10 AM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
AFAIK you can't completely defend against arp spoofing
It is inherent to the unauthentication on Layer2 of OSI systems.
You need an encrypted layer 2 mechanism (I don't know such) or tunnel everything in encrypted IP datagrams. IPSec for DNS, HTTP,...
As a tool for monitoring MAC changes and detect some possible arp spoofing, have a look at arpwatch.
Arptables can also help you.
For sensitive server, disable arp on interfaces (ifconfig eth0 -arp) and use static arp tables.
 
Old 02-09-2006, 05:08 PM   #5
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
To stop ARP poisoning use network switches with MAC (to port) binding features.

EDIT: and I believe the word "spoofing" is being used incorrectly here. The MAC address IS being "spoofed"/impersonated, but ARP (the cache) is being "poisoned".

Sorry for being a stickler but I got to get this stuff straight for my Security+ test.

Last edited by Crito; 02-09-2006 at 05:38 PM.
 
Old 02-10-2006, 12:10 PM   #6
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Do you have a "local" network that you are worried about? Being layer 2 and all, MAC addresses can't be futzed with by say hackers from The Internet unless a node on your LAN has been comprimised. If you have a small enough network, you could just turn ARP off on all the nodes and set up static ARP tables. Not a fun task on even a tiny network.

Either way, lots of good information here already, definitly read the links int0x80 posted and if you have an immediate concern, maybe give some details on what is happening to make you suspect. If you are just concerned then read up so you can decide whether this is a real threat to your network, or just something you read about and now have fear of the unknown. I would say it's a pretty low risk on a wired LAN, the exception being the more freedom the users there have (Live CDs, can install software, physical access to network devices) and a little higher risk on a wireless network.

Oh yea, I belive Crito is correct, the accurate terms would be "MAC spoofing" and "ARP table poisoning"

Last edited by Darin; 02-10-2006 at 12:13 PM.
 
Old 02-10-2006, 01:03 PM   #7
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
On wireless LANs you can futz with the MAC addresses (nice term Darin ). If you do have a wireless network, this is something to consider. But as Darin recommended, on a small, wired network you could potentially use static ARP tables.
 
Old 02-10-2006, 01:18 PM   #8
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Well, you can easily mess with the MAC address on a wired LAN also. MAC spoofing is just one of the key tools used to "hack" a wireless network and you don't need physical access to get on a wireless network, you just have to be in range of the WAP.
 
Old 02-11-2006, 03:10 AM   #9
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
If you really want to figure out how it's done, there's no replacement for actually doing it yourself. Download the Linux program "Hunt" and give it a try.

Just noticed the Hunt homepage is down (was going to link to it)... guess someone got upset about it. anyway, I found Fedora Core 4 RPMs somewhere (don;'t remember ATM) and just found this page that might help track it down: http://linux.maruhn.com/sec/hunt.html

USE ON YOUR OWN COMPUTERS ON YOUR OWN LAN AND AT YOUR OWN RISK (OR DON'T USE IT AT ALL.)

Last edited by Crito; 02-11-2006 at 03:32 AM.
 
Old 02-11-2006, 04:05 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Changing its mac address is standard in linux
Code:
# ifconfig eth0 hw ether 01:BA:BE:15:DE:AD
A swiss knife tool for ARP.
http://64.233.179.104/search?q=cache...sk.org/+arp-sk
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 03:07 PM
ARP command is "broken" vexer Linux - Networking 11 02-10-2006 01:15 PM
ICMP "Spoofing?" paulengel Linux - Security 1 07-03-2005 06:51 AM
"unusable" network (possibly re. ARP) Ollie5882 Linux - Networking 9 10-10-2003 01:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration