Protect against ARP-spoofing

Security and Privacy In-Depth

In a previous article i’ve talked about how you can sniff traffic on LAN using ARP. In this article we are going to see how we can prevent our traffic from being sniffed.

ARP-spoofing works because of the big flaw in ARP, which is that of anybody on the network having the posibilty to repsond to ARP-requests. To prevent machines on the network and routers getting confused we must set up static ARP table and/or configure each of the machines separately.

Blocking ARP replyes from the OS

All major linux distros have the built-in posibilty of blocking random ARP replyes, but it is commonly turned off. To turn on this feature we make “arp_accept” false.

echo 0 > /proc/sys/net/ipv4/conf/all/arp_accept

How add a static entry to a local ARP table (the ARP table on your PC)

arp -s <IP> <MAC>

You can also specify the interface you want the ARP entry to point to

arp -i <INTERFACE> -s <IP> <MAC>

An external file with ARP entries can also be used

arp -f /path/to/file

Static ARP entries aren’t presevered after over reboots, so we have to automate things.

How to make changes permanent

Create an external file, that the system will use to identify the ARP entries, with a MAC and a corresponding IP on each line.

nano /etc/ethers

00:11:22:33:44:55 192.168.15.15

The external file must be loaded at each boot (actually each time the network interface “go up”). To do this we must edit the /etc/network/interfaces file.

echo “post-up arp -f /etc/ethers” >> /etc/network/interface

To check if it’s working, reboot your machine and check your ARP table.You should see a permanent entry (marked with PERM).

arp -a -n

arp-permanent-entryReal world situations

For a small home network, where you have a PC, several mobile devices and a router this is relatively easy to set up. To make things even more sure, we can also modify the routers ARP table, if it’s posible, but this is for another post.

For middle-size/big networks setting static ARP entries can be an issue. The solution for this is using dedicated hardware or using the current hardwares features (Port security features in switches)

For any kind of network, a dedicated software can also be helpful, such as ArpWatch.

Resources

  • http://www.arppoisoning.com/