Re: against illegal arp update

Le lun 10/03/2003 a 10:04, SB CH a ecrit :
> Today someone(I don't know who) which use same network(/20), has updated

Arpwatch is a tool that monitors ethernet trafic in order to detect MAC/IP couples and spot changes. In a switched environment, this can only be done on ethernet broadcast stuff. For ARP cache poisoning uses unicast messages, such as directed ARP requests or ARP replies, it is difficult for arpwatch to achieve its detection task. So, a determined attacker can be clever enough to launch a quite silent attack, to realise DoS or traffic interception.

> I know that one can fake his ip and update illegal arp information against

See http://www.arp-sk.org/ for details about this attacks and their consequences.

I could notice that ARP cache poisoning sometimes sometimes leads to DoS as side effect, when "incorrectly" used ;)

> Is it a virus or illegal attack?

I am not aware of any virus that uses ARP cache poisoning...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> How can I solve this incident?

The only efficient solution is static ARP cache, but it is an horrible pain to maintain. You can also use MAC based filtering, but it is as painful.
Unfortunalty, NT/2k does not support static ARP cache. They have "permanent" ARP cache, meaning user set entries do not expire, but can be updated. Unices have static ARP cache.

In a switched environment, arpwatch has to listen to a monitor port to be fully efficient. Prelude IDS (http://www.prelude-ids.org/) and Snort have both modules that can detect ARP level attacks.

-- 
Cédric Blancher  
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


----------------------------------------------------------------------------

Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure"> 
http://www.securityfocus.com/stillsecure