In a previous article i’ve talked about how you can sniff traffic on LAN using ARP. In this article we are going to see how we can prevent our traffic from being sniffed.
ARP-spoofing works because of the big flaw in ARP, which is that of anybody on the network having the posibilty to repsond to ARP-requests. To prevent machines on the network and routers getting confused we must set up static ARP table and/or configure each of the machines separately.
Blocking ARP replyes from the OS
All major linux distros have the built-in posibilty of blocking random ARP replyes, but it is commonly turned off. To turn on this feature we make “arp_accept” false.
echo 0 > /proc/sys/net/ipv4/conf/all/arp_accept
How add a static entry to a local ARP table (the ARP table on your PC)
arp -s <IP> <MAC>
You can also specify the interface you want the ARP entry to point to
arp -i <INTERFACE> -s <IP> <MAC>
An external file with ARP entries can also be used
arp -f /path/to/file
Static ARP entries aren’t presevered after over reboots, so we have to automate things.
How to make changes permanent
Create an external file, that the system will use to identify the ARP entries, with a MAC and a corresponding IP on each line.
The external file must be loaded at each boot (actually each time the network interface “go up”). To do this we must edit the /etc/network/interfaces file.
echo “post-up arp -f /etc/ethers” >> /etc/network/interface
To check if it’s working, reboot your machine and check your ARP table.You should see a permanent entry (marked with PERM).
arp -a -n
For a small home network, where you have a PC, several mobile devices and a router this is relatively easy to set up. To make things even more sure, we can also modify the routers ARP table, if it’s posible, but this is for another post.
For middle-size/big networks setting static ARP entries can be an issue. The solution for this is using dedicated hardware or using the current hardwares features (Port security features in switches)
For any kind of network, a dedicated software can also be helpful, such as ArpWatch.