ARP Spoofed packets [split posts]

Discussion in 'other firewalls' started by vijayind, May 3, 2009.

Thread Status:
Not open for further replies.
  1. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Kinda out of topic, but those looking for strong ARP protection for free could use SoftPefect Personal Firewall. You can create rules for ARP also in it, so as to have precise security.
    http://www.softperfect.com/products/firewall/
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Outpost Firewall Free 2009 v6.5 Released


    Softperfect like most other firewalls that give the ability to add MAC rules only check the Ethernet header and not the payload, so they can be ARP spoofed very easily.

    So no, softperfect does not give any protection against ARP spoofing even with rules in place.


    - Stem
     
  3. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Re: Outpost Firewall Free 2009 v6.5 Released

    True, you can't create a water tight shield for ARP with Softperfect. But IMO, its still better than other free products. It allows you to specify trusted MACs but MAC like IP can be spoofed.
    If the attacker in the same network and knows the correct MAC/IP no product (I think) can stop him. Routers/Advanced Switches can only detect such spoofs when they originate on wrong port/network.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Outpost Firewall Free 2009 v6.5 Released

    A spoof ARP can easily be blocked if the packet filter allows a rule to be created with MAC address (that is checked from payload) and IP address.

    Look at look'n'stop.


    - Stem
     
  5. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Re: Outpost Firewall Free 2009 v6.5 Released

    So a rule like: MAC X = IP 123.
    Still as I said if attacker knows the IP & MAC he will get through, there is no stopping. The rule you say only prevents the attacker from filling the arp table for IP 123. Still by random selection (or brute force) he can still get through, hence most routers limit the max entry/packets with same mac but different IP. Again not perfect, but a step better.

    Back to the topic, OFP does seem to have "smart" filters much like in many l3 devices to tackle ARP spoofing.

    Thanks for the info about L'n'S. I have never tried it, but it seems a good old school firewall.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Outpost Firewall Free 2009 v6.5 Released

    We are talking of anti-spoof and rules to prevent, which can easily be done with correct rules.
    Show me a bypass for ARP that I cannot block with a packet filter rule.

    A spoofed packet that uses the correct MAC and correct IP of a gateway is of no use to an attacker as any possible reply is made to that IP/Mac. Only if spoof attack (where the MAC address of the gateway is spoofed/changed) is successful will cause compromise/redirect/DOS.

    - Stem
     
  7. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Re: Outpost Firewall Free 2009 v6.5 Released

    A spoofed packet with correct MAC and IP can be used for a flood attack and also as a part of a elaborate spoof attack.

    One could send a multitude of spoofed ARP Request packets and cause a flood of ARP Reply on designated node. One of the easy ways to bring down a cheap router, they have limited ARP table size and many become unstable when the ARP tables get filled.

    Another clever attack is when networks are configured with firewall/router than have some config loopholes. An attacker wants to make the network think that IP A and MAC X are real while they are non-existent in reality. Grat. ARP are usually dropped and not learnt by routers/nodes. So to get past that, one spoof ARP Req. packet with known IP and MAC. Then a spoof reply with IP A and MAC X.

    Regarding packet rules, I agree. Packet rules are to networking what binary is to processing. All attack protection is based upon a stack of specially designed rules. So to stop any possible network problem you need a firewall/administrator who can create the right set of rules or an intelligent system which can monitor the environment and create dynamically the rules.

    But I am unclear about the convention "Personal Firewall". Since PF are supposed to be a small feature subset of industrial firewalls, you can point to many areas they don't protect well. Since they are "Personal" they skip the ability to create rules for every protocol.

    So IMO if you are really want to create a networking fortress at home, its better to invest in a good router than go after PF which are designed to cover only a part of the network security paradigm.
     
    Last edited: May 5, 2009
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Outpost Firewall Free 2009 v6.5 Released

    You dont need spoofed packets to make a flood attack. Flooding can be made by any protocol. Even with a policy to "block all" any firewall/router can be DOS with a flood (some easier than others)
    What elaborate spoof attack? Give example.

    Routers are easy to DOS and that is one of the points I am making.

    Gratious ARP can easily be blocked, even some of the auto_type protection in some firewalls will have the option to block these, to stop the "IP conflict" which can be caused from such spoofed packets.

    You are thinking too much of the limited home firewalls with set filtering ability. You need to look at a Packet filter with raw rules editing, such as L'n'S.

    Again you should look at a good packet filter, not the limited firewalls most use.

    Show me an home router that will filter out an external attack of spoofed ARP/DHCP/DNS. You may find one at the top end, but they can be very expensive. Why pay that when I can filter better with a packet filter?


    - Stem
     
    Last edited: May 5, 2009
  9. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    Hii Stem
    nice to see u again speaking in arp protection functionality of firewalls
    i tried almost all firewalls implementing arp poisoning protection
    like

    -outpost "all versions "
    -zonealarm
    -online armor
    -comodo
    -sygate
    -pc tools
    ect.....

    and after many research and experiments , i concluded that 90% of firewalls claiming of arp poisoning protection do NOT in fact protect against such kind of DOS and other arp poisoning attacks

    only outpost versions 3.5 , 3.51 , 4.0
    can only and effieciently guard against these kinds of attacks

    even the recent versions of outpost 6.xx , in addition to other firewalls mensioned above completely fails in arp protection
    " all i say is based on personal tests and not on emotions "

    i have been in contact with agnitum to show them the details of my private tests that concern with arp protection , and how the previous versions of outpost completely overcomed by the old versions of outpost


    NOW , i'll show one of the tests , i've done in such subject

    before the test we have to totally agree on the criteria that we can use to judge on a firewall to pass arp poisoning test


    1- the firewall should detect the arp poisoning attack
    2-the firewall should detect the type of the attack
    3-the firewall should detect the ip and the mac of the attacking host inside the lan
    4-finally and the most important thing is that the firewall should prevent the DOS attack " the internet servive must be still running in the victim's computer"


    the test

    A)) installing the "net cut " program 2.08 ""one of the famous arp poisong programs "

    B)) running the program , untick "the protect my computer" becouse i want the firewall to protect my computer and not the betcut itself

    C)) choose the my own ip and mac and cut the net on my computer

    this strange test is trying to generate arp poisoning against itself

    and the firewall must detect the attacking ip "my ip " and must also prevent the net servive cutting

    the only firwalls that could prevent that are

    -outpost 3.5 , 4.0
    -sygate
    -zonealarm "after enabling the arp protection which is not enabled by default"

    the only firewall that gives detailed information about the kind of attack and the attacking ip and mac address is the outpost 3.5 , 4.0


    http://img15.imageshack.us/img15/3673/46045899.jpg

    the same test can be repeated using another computer inside the local network
    and also can be repeated using other arp poisoning programs other than "net cut 2.08 , like winarp spoofer and switch sniffer

    i want to see ur comment , STEM , i'm inetented to see ur opinion especially when it comes from a firewall expert like u

    best regards
     
    Last edited: May 5, 2009
  10. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Did you test Rising IS 2009 free or Rising FW 2009 Free?
     
  11. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    yes in deed , i tested Rising firewall 2009 as it has anti spoofing functionality
    also tested FortKnox Firewall 2009
    and unfortunately both of them failed completely
    neither could stop the attack nor even could even identify the attacking ip or mac address

    in fact i did not mentioned all of the firewalls that were tested coz they are many , only mentioned the famous names
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi hany3,

    Caution is needed when making any packet filtering tests. With ARP tests you should not be attacking yourself (PC Host attacking PC host). The problem with this is the fact some firewall perform "Smart filtering"(Well that is what some firewalls call it) and when a spoofed outbound is sent, then the packet routing will be allowed due to this filtering, and the ARP cache can be updated with spoofed info.

    That is how I set up, and is more to what would be seen in an untrusted LAN, where a remote PC is attacking the Host.

    I do use various tools such as Netcut, but now prefer to create my own attacks as it is easier to monitor and log. In some cases a firewall can be ARP spoofed with just one spoofed ARP packet every 30 seconds.(to prevent the ARP cache on the attacked PC being updated with correct info from the gateway)

    From the point of the IP being blocked. That is a mistake that some firewalls have made in the past (and some still do), it is only the MAC address that should be blocked (and IP shown only for reference) when spoofing is detected.

    As setting up to test this only requires actually installing the firewall, then sending the spoofed packets from another node, I can easily post the details shown in the firewall logs if required.


    - Stem
     
  13. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Interesting.. I know of FortKnox and you did setup RIS to the max in settings correct..?

    So you're not using a router just the modem to a PC correct?
    Router can be locked down using MAC address to prevent such attack.
    Software fire can only do so much prevention though. You can add the attacker IP address to the software firewall to box the user or you can do it in the router. There is always the last full protection method unplug the LAN or disable the wireless adapter. Bad IP addresses like you can block thos Peer guardian or SNORT.
     
  14. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    ok stem
    i understand ur point of view , but concerning the smart arp filtering , outpost uses the same arp rules in versions 3.51 , 4.0 , untill v 6.x
    so the fact that smart filtering allow outbound arp poisoning in outpost 6.xx is not the cause , but in fact throught development of outpost , users always compain of false positive arp attacks and resolving such bugs resulted in some loss in the arp protection functionality in outpost

    converning other firewalls , that failed the tested , they in fact detected an arp poisoning attacks in their logs , but failed to stop that
    if arp filtering in them voluntarily allowd the outbound spoofing , so why they identified it as an attack

    to be mentioned here , that firewalls like zonealarm despite it didn't detect any running spoofing attack , but it completely prevented the outbound spoofing



    i think that many organizations "like matousec" interested to a very large extent to the outbound protection and leak tests and ignored completely other important items like arp filtering and testing arp poisoning protection

    so that carrying out and sharing arp test results here for all the firewalls and creating some kind of rating based on previosly identified criteria and according to the test results , that will be a very good job especially if these tests and ratings are done by firewall experts like u and other security experts here in the wilders
    and i prefer to begin testing with outpost pro 3.51 , 4.0 , 6.5
    both outpost 3.51 , 4.0 versions can be easily downloaded from www.oldapps.com
    coz i think that outpost 3.51 is the strongest firewall version i've ever seen concerning arp poisoning protection
     
    Last edited: May 5, 2009
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have tested a number of builds of Outpost (and many other firewalls). With outpost the actual setting shown in the firewall for ARP protection have not changed, but the actual filtering made has.
    I did on many builds of OP see ARP spoofing protection fail quite easily. In the latest version it did succeed, however, when using a program such as Netcut, one should also be aware of possible gateway ARP cache poisoning due to that tool, so a check on the host ARP cache must be made to check that the gateway IP/MAC is still protected during the attack and that pings are made to the actual gateway to update its ARP cache.

    I will install the latest OP pro now, and make ARP spoof attack and post the actual logging made in OP (I will use Netcut so you will know the attack made)



    - Stem
     
  16. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    i'm happy to hear that stem
    and now i'm waiting to see a detailed revision of outpost 6.5 concerning arp protection

    and we hope that outpost be the 1st product in a waiting list of firewalls to be tested and reviewed by stem concerning arp protection

    SO NOW , WE ARE EAGERLY WAITING
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello hany3,

    OP pro 6.5.4(2525.381.0687)

    Setup:
    I have setup behind my gateway. I have placed a router(Linksys) behind my gateway and have in place 2 PCs connected to the router. One with OP pro(Host) and one to make attacks.

    To block spoof gateway then the setting in OP pro for ARP must be set to "Block sniffer if gateway network MAC was changed"

    01.jpg

    A command "Arp -a" shows current ARP entries on the HOST: 10.123.123.1 being the gateway, the other is the attacker.

    02.jpg

    During the attack by Netcut there was a number of popups from OP pro to indicate the attack, and log entries where made:-

    03.jpg

    Also during th attack I checked the ARP cache on the host, which remained the same.

    04.jpg

    So the current ARP spoof protection against Netcut Inbound attacks does work.


    - Stem
     
  18. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hii stem
    i'm really amazed by ur excellent and perfect review
    althought it was a very rapid , it was also full at the same time
    but just wondering about the kind of alarm displayed by outpost
    did outpost showed "host declared itself as a gateway" ??
    did the alarm displayed the attacker mac address as in the old versions 3.51 "as i showed above in the 1st test " o_O

    now ur review encourages me to retest outpost 2009 in arp protection aspects

    thanks stem for ur kind efforts
     
    Last edited: May 5, 2009
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi hany3,

    I will go back and take a screen shot of the alert.

    I was curious about running Netcut on the Host, and then attempting to spoof itself (as you put forward), however, this is also failing to spoof.


    Alerts where not made of spoof attempt, but as no spoof was actually made then it is not a threat.

    The popup given by Op Pro when executing Netcut;-

    05.jpg

    06.jpg

    Netcut is currently running and I have set it to block the Host(itself). I am making post from that Host now.

    07.jpg

    - Stem
     
  20. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    stem , i know the alerts of the low level netwok access
    i just was asking about the alerts in the victims computer
    BTW , stem have u tried winarp spoofer program , coz i thing under certain settings of the program it result in the strongest DOS attacks i've ever seen
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK


    Example:

    08.jpg


    - Stem
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, I usually set up my own attacks.

    I have downloaded the program and will check. This may take longer to check as I will need to see what packets are being used for the attacks


    - Stem
     
  23. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    for winarp spoofer
    don't forget :
    1- download version 0.5.3 it's the last free version , as next version is not free
    2- under spoofing settings "choose to and from gateway "
    also untick "act as router or gateway during spoofing
    this is very important during testing

    i 'm really pleased with ur tests and i hope that u begin a learning thread for arp poisoning protection in firewalls and to createa a todo list of firewalls to be tested using various arp poisoning programs like netcut , switchsniffer , winarp spoofer , i think such thread will be very helpful to the wilder's users
    i think it may be more popular than matousec's rating :D

    please stem , go on in ur very helpful working


    GOOD LUCK

    best regards
     
    Last edited: May 5, 2009
  24. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Fellows a bit over kills with ARP attacks.. Do you think the average users going to need all this extra protection? Most cases nope.. NetCut seems to be killer app..
     
  25. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    i'm on a public wireless network
    all users here like to play with such applications to cut the net service for other users so that they can take the full bandwidth
    so i've suffeed alot from this kind of attacks

    if u have ur own router or on a private network , so u don't need this extra protection

    but if u are on a public network , so u are not far from danger
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.