The everlasting ARP attack

There is a famous song by Bob Dylan with the words" THE COPS DON'T NEED YOU & MAN THEY EXPECT THE SAME ". Just a thought.

 

All this thread is pointless.
ARP poisoning and Arp spoofing cannot be stopped on the client level. If your network gets compromised the only thing a personal firewall can do is to block all the traffic.

 

Hello all,

First and foremost,

Please stay on topic.

I will read through thread and lets see if we can find resolution to this problem.

- Stem

 

Hi bonedriven,

Sorry to hear of your problem. Lets see if we can find an answer to stop this.

I will help when I can (time available)

The last versions of PC firewall I looked at will not help in this situation.

I would need better description of what you mean.

Yes, unfortunately the MAC will show as from the gateway/router as that handles the comms. Correct/full filtering of ARP is needed to see all info within the packet, then action can be taken

We need to back up from what apps you use to connect out or what DHCP/DNS servers you use, as those connections are based on correct ARP within the LAN,... so it is ARP comms that we need to look at.


Are you concerned with which firewall to use? (does it need to be firewall X and not firewll Y), or just a firewall to protect from such attacks? If you are prepared to use any firewall that will give the protection, then we can go through setup and reasons for settings

- Stem

 

I don't think it's off topic too much. My main concern is the question if my router can handle ARP attacks.
Unfortunately there is no way I can know this.

 

To all on thread,

I dont really want to start picking out various posts or comments, but really just want to put forward some points.

Static ARP:
This can be used, but is dependable on:-

The ability of the firewall to filter out the possible external reset of such (yes it can happen)

but also:-

If all ARP is blocked after setting static ARP(s) entries, which can work, but it is dependable on the gateway/router on keeping forever the MAC/IP of you PC, which is not always done
{note:- My own setup, which is on an ISP LAN,.. I can set up a static ARP entry for the gateway, then block all ARP,... I have no connection problems with that, as the ISP obviously keeps the info, (well, until my modem is turned off /reset,....but it is not always the case for all on all ISP(s)}


Can ARP poisoning/spoofing be stopped against the PC.

Certainly yes (well the attacks I currently know about). The main need is to actually make bindings of gateway mac/Ip and have filtering to protect that binding.


- Stem

 

Hello,

For home type routers I have not seen such protection mentioned and have not taken time to check.

I dont think router manufacturers take into account the fact that users can (and a lot are) connected to external (possibly untrusted/unmanaged) LANs


- Stem

 

Because I believe this is theoretically impossible with client-side firewall. I tested the both, Outpost and Comodo and none of them could protect from arp spoofing fully. And yes, it was a little better with them than w/o them, but never fully successful. My permanent connections periodically dropped, my downloads hanged and finally dropped also, browsing speed dropped essentially and 50/50 gave "cannot access web page" error.

 

Hi Alex_s,

Unfortunately firewall vendors who implement such "auto" protection attempt to do it in a "user friendly simple way",.. and this is very difficult to do.

A need for user to input defined bindings within the firewall and the correct filtering of ARP by that firewall (IMHO) is the way to go.

- Stem

 

Hi Stem,

I'm a bit curious. How can you stop the arp poisoning on the client if the attacker has already send spoofed ARP Replies versus the router (telling him that the attackers mac adress should receive the traffic bound to the ip of the other machine)?

Panagiotis

 

Which way to go in case gateway is poisoned with your fake MAC ? Then gateway response will just never reach you. Not to forget anything you can do attacker can do also. So the only way I see is fixed MAC policy for both client and gateway.

 

Hi pandlouk,

With correct bindings and filtering is is not actually possible to ARP spoof/attack on LAN against your PC. It is just a lack of filtering from most vendors.

- Stem

 

For a gateway to be poisoned would show that the gateway is to updated with new info,.. so when you actually connect yourself that info would be updated with the new info before you attempt to connect,..... or am I missing something?

 

Hello Stem,

What your saying is that,
1)once you make the ARP 'table' static,
2)and filter any attempts to change it with a capable firewall (since Windows can't really make it static),

->then even if the attacker manages to fool all other machines on LAN, it doesn't matter to our PC, since we still have the correct entries?

 

As long as attacker listens to LAN he may send ARP packet "I'm your IP, fake MAC" to gateway right after you did it. Then gateway ARP table will be updated again (poisoned).

 

Hello,

Windows does not filer ARP

static tables can be made, but is dependable on protection made via 3rd party

- Steve

 

No, it does not work like that.

 

please think first

 

You mean hardware vendors or software firewall vendors?
I agree that correct binding and filtering make arp spoofing impossible.

But shouldn't such binding be done on the router or at the ISPs gateway?

Panagiotis

 

Mine is connected to my ISP, Shaw Cable through, of course, the modem, typical of the majority of setups, I'm sure. I'm on no home or office LAN. Can I not trust my ISP to properly manage/monitor against these type of attacks?

I still feel the question needs to be asked of the OP: "why don't you report the attacker!?"

Absolutely!

 

For sure not condoning attacks but is this "ARP attack" and this "someone" also associated with the "ARP-Spoofing" that concerned your work LAN and monitoring being done with managements approval ?

 

I'm heavily trying, but think you also, please

Where gateway can know what is current binding from ? Only from "I'm" ARP message. Other option is fixed mac, but we disregard it because it needs gateway setup to be involved. Which of the two messages "I'm" (true and fake) should be taken as true by gateway ? The both. Or to be accurate the latest one. And yes, gateway may be setup in some way to avoid it, but please, remember we take in account only "general" case. And in general case gateway starts to send the packets to the mac that was introduced latest. Is there any mandatory standard that could make gateway go other way ?

 

Which current or past firewalls stop ARP attacks? I have ZA PR ,Webroot ,Sygate Pro,Comodo, Online Armor free.

 

Hi Bubba,the attacker is the same one from the thread you refered.However,it is an attack instead of management.I don't want to mention the story why am I attacked,what's the relationship between us which is nonsense.He(the attacker) is an asshole because he even asked the so called "pros" to DDoS my machine(yesterday).If he is my boss or something,he can talk to me or fire me,ok?

 

Fair enough for now.