Friday, August 1, 2008

arptables, and ARP poisoning(Netcut, Switchspoofer, ..)

Netcut , WinARPspoofer, Switchsniffer,WinARPattacker , and other ARP poisoners are becoming popular now with the growing number of the free wifi hotspots and shared broadband connections, and are being used either for taking advatage of the whole network internet speed , or sniffing sensitive informations, emails, chat conversations, .. etc
i tried many ways to stop attacks on my linux like what mentioned here but i failed to stop the attacks
after several trials and forensics, I found that arptables is the solution
i installed arptables package

$sudo apt-get install arptables


the i have added these lines to my firewall script
provided that "192.168.1.1" is the gateway IP and "00:1D:0F:A9:F0:45" is the mac address of the gateway

#arptables -P INPUT DROP
#arptables -P OUTPUT DROP
#arptables -A INPUT -s 192.168.1.1 --source-mac 00:1D:0F:A9:F0:45 -j ACCEPT
#arptables -A OUTPUT -d 192.168.1.1 --destination-mac 00:1D:0F:A9:F0:45 -j ACCEPT

#arp -s
192.168.1.1 00:1D:0F:A9:F0:45


First line to set the policy of INPUT chain to DROP.
Second line to set the policy of OUTPUT chain to DROP.
Third line to only ACCEPT connections from trusted gateway.
Forth line to send replies only to the trusted hosts.
Fifth line to add static entry into the ARP table to link your trusted host to its own MAC.
What i liked in this this solution that your box will only be visible to the trusted hosts in your network, even when the attacker try to scan the network by anykind of software. A good combination between arptables and iptables makes you safe in untrusted switched networks.

5 comments:

Anonymous said...

Try this on Windows http://sync-io.net/Sec/anti-arpspoof.aspx

Let me know if you want the code.
-chris

Anonymous said...

should I type all of those lines everytime I restart my machine?

abulmagd said...

you can append these commands at the end of /etc/rc.local

Anonymous said...

hello,

Thank you for yhe guide here, but why I still can't get my connection even after I've followed your guide?
this is what happen when I run arp-scan:
http://i905.photobucket.com/albums/ac253/ghemoex/arp.png

It seems I can't get the true mac address of my router, and when I tried looking up the mac address using the arp command, everything seems normal :
http://i905.photobucket.com/albums/ac253/ghemoex/arp.png

Arief Yudhawarman said...

I have published my writing about arp poisoning and how to protect the linux box from it with arptables. You can see at http://awarmanf.wordpress.com/2009/12/23/membuat-linux-kebal-arp-poisoning-arp-spoofing/ (indonesian)