Friday, August 1, 2008

arptables, and ARP poisoning(Netcut, Switchspoofer, ..)

Netcut , WinARPspoofer, Switchsniffer,WinARPattacker , and other ARP poisoners are becoming popular now with the growing number of the free wifi hotspots and shared broadband connections, and are being used either for taking advatage of the whole network internet speed , or sniffing sensitive informations, emails, chat conversations, .. etc
i tried many ways to stop attacks on my linux like what mentioned here but i failed to stop the attacks
after several trials and forensics, I found that arptables is the solution
i installed arptables package

$sudo apt-get install arptables


the i have added these lines to my firewall script
provided that "192.168.1.1" is the gateway IP and "00:1D:0F:A9:F0:45" is the mac address of the gateway

#arptables -P INPUT DROP
#arptables -P OUTPUT DROP
#arptables -A INPUT -s 192.168.1.1 --source-mac 00:1D:0F:A9:F0:45 -j ACCEPT
#arptables -A OUTPUT -d 192.168.1.1 --destination-mac 00:1D:0F:A9:F0:45 -j ACCEPT

#arp -s
192.168.1.1 00:1D:0F:A9:F0:45


First line to set the policy of INPUT chain to DROP.
Second line to set the policy of OUTPUT chain to DROP.
Third line to only ACCEPT connections from trusted gateway.
Forth line to send replies only to the trusted hosts.
Fifth line to add static entry into the ARP table to link your trusted host to its own MAC.
What i liked in this this solution that your box will only be visible to the trusted hosts in your network, even when the attacker try to scan the network by anykind of software. A good combination between arptables and iptables makes you safe in untrusted switched networks.