Somekind of attack

[petkouzunski]

Yesterday a guy from my network showed me what I'd written in IRC. We talked for a while and he said he had stolen a big ammount of unencrypted passwords. I had no static arp entries so I thought he had made an ARP spoof attack (man-in-the-middle). I made static entries in /etc/ethers and thought I'm secured. This morning I installed arpstar, loaded it and asked him to try to attack me and he did. BUT (there is always one "but") I couldn't log his attacks (neither by arpstar, neither by tcpdump, ethereal or whatever you can imagine). The arpstar module works (we tried it with a friend and it logged him). So my questions are:

1. How to protect myself from being attacked?
2. How to log any other attempts?


P.S. I'm not 100% sure the attack is an ARP spoof attack!

Thanks in advance!

[adsmith]

well, IRC,AIM, etc all just go over the line as text, so if he's sitting at a router, he can just tcpdump it.

It sounds like the real problem is that your network has a lot of unencrypted data (including passwords???).

[atmat]

[petkouzunski]

The network isn't very big (less than 500 machines). I have a static ARP entry for the gateway and a free file server (SAMBA share) on the network. But when he attacks me I can't access the file server (I DO have a static entry for it too). The boy sits behind his PC. He can't listen the traffic and get passwords as clear text mainly because my ISP uses switches. If it is an ARP attack he can listen SSL connections, I think, because he makes all PCs transfer their packets to him and he routes him. But I can't realize how he does it! I tried to listen with ETHEREAL but I get only 3 packets for 5 minutes and they aren't suspicious. I'll make a log and post it here but it'll be later.