arp spoofing

[b0nafide]

Oh great. A security researcher pointed out to me that my gentoo-based router is vulnerable to arp spoofing. Then he took off without suggesting preventative measures. Doh!

So I read that some APs have a 'client isolation' mode where wireless clients are disallowed from talking to each other; this prevents the man in the middle attack. However I'm not sure how to implement this on gentoo.

Then there's static arp tables, which are impractical in this case. Setting a static arp entry for the gateway anyway might be a good idea??

Is there a package I can emerge to detect arp spoofing in progress (say two IPs with the same MAC) ??

[xibo]

Same MAC different Internet Addresses is easy to detect ( i.e. just read a regularily accessed host's (ie router's) /proc/net/arp via cron-job or if they're hiding behind nat read the nat-ter's arptables via snmp ), and a poor man-in-the-middle attack. A good one would use the same mac and inet address combination as his victim.
arpwatch ( net-analyzer/arpwatch ) might help a bit, but it's not teeeh tool to rely on. it's detections can be trusted but it won't detect everything, i.e. someone modifying his mac and inet address to a present combination in your network while being outside of it, and then reconnecting will not be caught ( unless he's stupid and makes a "this-is-my-computer-name" broadcast made by windows os and dhcp clients or something like that )

You might be able to have your access point detect the MAC-modification, depending on how good it's security features are. I wouldn't expect it to be possible with any access points i've seen yet though, it's a feature i know from switches for cabled networks.

Static MACs aren't that bad. If you can use static-address autoconfiguration you can generate static arp tables content, in the worst case by sedding you dhcpd.conf. If you use dynamic-address autoconfiguration you should try to either run some script which sets up the corresponding arp entry each time an address is requested ( DHCPv6 servers can do that, but i'm not aware of DHCPv4 though i only ever used the isc's dhcpv4 server ), or use some sniffer that sniffs on your dhcp servers reply.
I use static autoconfiguration and static arp, though my clients are in a 'database' and at each modification a programm regenerates the dhcpd.conf and /etc/ethers and reloads both, together with iptables to validate people are using the addresses i want them to ( i.e. combining iptables --source and --source-mac and dropping all that don't match in the end ).

[richard.scott]

what about running arpwatch on your system?

or changing your DHCP so you only offer out a smaller network range per client i.e. /30 has only 4 ip's per delegation.

Rich.

[b0nafide]

Thanks for all the good info. I'll check out arpwatch.

... using the info from DHCP is a great idea!

Here's a guy who modified openwrt to prevent arp spoofing:

http://docs.google.com/viewer?a=v&q=cache:TA6HWxbRkycJ:citeseerx.ist.psu.edu/viewdoc/download%3Fdoi%3D10.1.1.134.6856%26rep%3Drep1%26type%3Dpdf+preventing+arp+spoofing+%2Bopenwrt&hl=en&gl=ca&pid=bl&srcid=ADGEESgIvJxzC5Zfmu4Vel7Ztzfh_kEkl4FeqNrP8saZgx2CeTs8XtxThEHf9tuUVYoSUg3ASIqoOEetl4goJ4OcsQ_XS6TSEBDbrEFd-LU37zYOcCv0mIeHmmQTCHXEMk4Uvsd-F0lz&sig=AHIEtbQzY3oSU4P8XOZ3uCF4TQBVnlgqDw

From the document:

[mack1]

There are also arptables and ebtables (for building a brouter ) that could help:

http://en.wikipedia.org/wiki/Arptables

http://ebtables.sourceforge.net/

Cheers

[b0nafide]

For testing, I setup an old laptop as an attacker. I tried to perform the MiTM arp-spoofing attack with ettercap. I could see changes to my 'victim' laptop's arp table, indeed, it believed it's gateway was the attacker's MAC.

I slapped this into my router: