ARP Spoofed packets [split posts]

Discussion in 'other firewalls' started by vijayind, May 3, 2009.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    V 0.6:-


    09.jpg

    - Stem
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    winarp spoofer is currently crashing, probably due to the version of winpcap installed(4.02).
    I will need to try and find an older version of winpcap(3.1) before I can look at this program again.


    - Stem
     
  3. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    strange , i'm sure it was not freeo_O
    may be they have changed their mind
    any way , good news
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have installed winpcap 3.1 but the program still crashes.


    winarp spoofer appear to be more interested in calling home that performing ARP spoof.



    - Stem
     
  5. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    latest winpcap 4.0.2
    yes it crashes alot with netcut
    but may be 0.5.3 crashes little

    important note , netcut and winarp spoofer never worked together in single system
    u have to install it on a pc that never has netcut installed before "from my experience" , if did so , i think it will not crash
     
  6. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    stem ,after comparing the log and the outpost alert u posted
    it seems that outpost did not recognize the exact mac address of the attacking host
    from the log u posted 1st , every attept for arp poisoning , outpost suggest a different mac address for the attacker which is not the true mac address or ip
    in outpost 3.5 it really gives me the exact ip and mac address of the attacking host
    is this a fault in outpost 6.5 or u are enabling spi in the router ?
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    There is nothing in a spoofed ARP packet that will identify the attacker.
    It is the spofed packets that are dropped and logged.
    ARP spoofed packets will simply be routed on my current setup.

    There are only 2 main areas in an ARP packet

    Header: source MAC / destination MAC

    Payload: source MAC/IP / destination MAC/IP.

    As all the info for the source is spoofed, then it is not traceable.
     
  8. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    i'll tell something
    me and my friend are both on the same public wireless lan
    he set netcut to start with windows
    and set outpost to "block host if it enumerates other computers on lan"

    when my friend wake up and turn on his computer , the netcut is just running , no spoofing "BTW HE RUN IT TO USE THE PROTECTION FUNCTION OF IT"

    my outpost 3.51 pop up and tells me the EXACT ip and the exact mac address of my friend's computer and the alarm is as follows "host enumerate other hosts on lan"

    so i instantly know that my friend in online now

    that's amazing that outpost 3.5 can precisely know which user among hundred user is just running a spoofing program "even before performing an actual attack"



    2nd example
    when some user cut the net from my computer , i call the internet service provider and tell him the EXACT ip and mac of the attacker
    that's why i'm really amazed by the previous versions of outpost

    if u can retest outpost 3.5 and to see if it can trace the exact ip and mac of the attacker that will be so nice
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is because the ARP packets are not spoofed. They are simply ARP requests being used to scan/map the network. It such a situation Op pro latest will through up a popup to alert to such behavior.(depending on setting)

    Spoofed ARP packets are not traceable, so NO firewall will know the IP or MAC of the attacking PC.
     
  10. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    stem , i'm sure there 's a way to do that , coz some day i did see that by my eyes , also agnitum has implementing this feature , if this is completely impossible , why they claim that outpost can trace the attacker

    also i used some sort of programs called "Anti-netcut" they have a feature called "who is using the netcut" to trace the source of spoofing

    i just hope that may u test outpost 3.51 , and lavasoft firewall version 1.0 , i did used them for years and both of them never dosappointed me in this point exactly
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You cannot trace ARP spoof attack. It is not possible because there is no info in the packet to trace.
    Show me a link to where ARP spoofing can be traced, if Outpost state this then it is blatant misinformation.

    You can easily find anyone who is actively scanning/mapping the LAN, that is not the same as seeing who is spoofing.
    I do not need to test any firewall to see if it can trace an ARP spoof attack, because it is not possible.
     
  12. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Re: Outpost Firewall Free 2009 v6.5 Released

    I did at the end. But you can create innumerable such combinations.
    Only the cheap ones. And even PC with firewall are susceptible to DOS. In my previous company, one of the testers accidentally routed traffic from a IXIA generator to test PC. About 80 p/s was enough to make it freeze, in comparison a home router can withstand ( those we had tested ) up to 200 p/s easily.
    I think Win 2000 onwards doesn't even recognize Grat. ARP. That was my point. That's why to register a false MAC/IP a more elaborate method is needed now days (as illustrated in the earlier post).
    True. I guess my view point is biased since I am an ex-developer of router IDS. And I haven't tried L'n'S yet.
    I am not sure of your point here. But IMO, packet filters are too basic. Like I said earlier, valid packets can be replayed in a particular fashion or volume for malicious purposes. A simple packet filter is ineffective against the same. But a packet filter/rule is the foundation for any good firewall. Hence a good network firewall will need a packet filter + some cognitive ability like IPS, NDS, <insert your own trademarked lingo here> stuff.
    I agree a good router doesn't come cheap. But nothing good is ever available at a low price. So if you want the best protection you better cough up for a good router. I can tell you some models but those would be the ones I worked/built on, they are aren't expensive as iPhones but still much more than those plastic stuff made in South-East Asia.

    You can't match the performance of a good router with any PC with a packet filter. The volume handling capabilities of routers are just too superior. Routers are specialist products and I still say routers are the best protection available if you are so ARP/Network paranoid.
    If you are not that in need of such great levels of protection or you can compromise a little here and there. Then pick a personal firewall with a good packet filter and some kind of attack detection vector.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Outpost Firewall Free 2009 v6.5 Released

    I know various/numerous attack vectors, some based on white paper, other gathered from various sites, some from honeypot setups and others I have found from simply studying the protocols and setting the attacks myself. But always welcome any info you can provide, rather than just such a non-informative reply you make to the original question.
    There is certainly a difference between DOS and spoof attack. We see servers that have much more abilty to defend against DOS than any router, but still they can fail against a direct DDOS attack. I think we need to avoid talking of flooding, as this is not stoppable as we have seen recently.
    Windows as never filtered ARP. But as I put forward, most firewalls have an option to block these announcements.
    Raw rules are the way to go.
    Keeping bad packets out is the main purpose of a packet filter IMHO. Unfortunately most vendors push forward a simplistic packet filtering unable to even filter out invalid flagged TCP packets.
    Such routers and the upkeep (usually remote admin from vendor) is not within the price range of most home users. I see too many software firewall vendors push protection from their own product instructing users to buy a router,.. not acceptable IMHO.
    This is down to Vendors inability to implement good filtering.
    there is nothing "Specialist" concerning an home router,.. you must be talking of the high end routers? I am not personally paranoid about networks I connect to, as I know the filtering I have in place will protect. I concern about users who think they are protected when at times they are not.
    You can get excellent protection from a well configured packet filter. No need to go out and spend cash on a router. (now if I was talking of a packet filter on any OS other than windows, you and many others would instantly agree.)


    - Stem
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Interesting thread.


    Stem you say you can get good protection from a well configured packet filter.

    what firewalls have good packet filters.

    Would you consider LNS a good firewall for packet filtering??
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Question to knowledge FireWall members,

    I have my Router (SPI/NAT, not DPI) with all flood attacks, ARP spoofing/pollution, DDos etc enabled. I also use fixed IP addresses and have MAC address control (combo IP +MAC) and added inbound ACCESS filter on internal IP addresses of all 5 possible clients in the network (no access allowed from outside to inside network). The other IP addresses are disabled via NETWORK control (both in and out). I have partitioned the wireless network, meaning a client is only allowed to communicate to the router.

    Although MAC addresses are only available from within the network, because it is also a Wireless router (with strongest password/encryption possible, SSID changed, etc and wireless network hidden) someone can still access the network as wireless client. When they spoof one of the MAC addresses with the correct IP address, then they will still get in.

    Question: Would I be protected from 'man in the middle' scenario's with the above?

    Thansk Kees
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Some of the suites do include some good filtering, however, the auto-type filtering/protection can cause problems if not correctly implemented.

    Yes, however, the main packet filtering is made via the raw rules. There are some rules pre-made that can filter out spoofed ARP, but there is a need to enter some info such as the gateway IP/MAC for correct filtering. You can also set up filters(rules) to check any part of a packet header or packet payload.


    - Stem
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I do not use wireless, and others can give more info on wireles security, but I will make some points.

    In such a setup then spoofing alone will not help. To attempt access they would first need to clone the correct MAC then set the IP. This of course would still not give access as they would still need the key.

    I have not attempting attacking a wireless network, but from the sound of your setup I think it very unlikely.

    I am sure others can give further info.


    - Stem
     
  18. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA

    What happens if you run Xrrius Wireless Inspector, can it see your network SSID an etc.... By-the-way it's a free wireless tool. Are you using WPA2/AES?
     
  19. wat0114

    wat0114 Guest

    Here are two questions as I'm trying to gain a better understanding of ARP and its spoofing/man-in-the-middle attacks:

    1. I'm behind a home router using Outpost Pro. There is my machine and three others connected to the router, all of which I know I can implicitly trust (I do not need to fear my kids, wife and homestay student) with two of them wireless. WPA2 encryption is used with a strong pass phrase. Only our MACS are allowed. So, basically ARP protection in Outpost is essentially useless to me, is it not, because the only ARP requests are being made to/from my machine to the router as well as to/from the other clients with the router.
    2. On this second question, even if I was not behind a router and I had the best available ARP protection enabled in my software firewall, won't it only protect me to the first hop? What about about all subsequent hops beyond the first (my ISP, probably)? What if there is ARP spoofing or other ARP-like attacks going on beyond the first hop redirecting my machine's request to a rogue device; won't my firewall's ARP protection be useless against those?

    From what I understand, ARP is done at the Data link (OSI 2) layer and the ip address is done at the Network (OSI 3) layer so the ip address request never changes in the packet from hop to hop, but the ARP info will change, depending on how it's supposed to be routed, thus my theory that a man-in-the-middle attack, for example, could happen just as easily between hops 1 to x as it can at the first hop.

    I'm hoping someone can clarify this. Thank you!
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    OK, time for a full explanation with example.

    What we are looking at is ARP spoofed DOS.

    Let us first look at an ARP request/ reply as would be seen (on this setup as posted earlier) from the gateway to the Host.

    This is the packet contents of the request:-

    ARP request 01.jpg

    Highlighted in red:- At the top you will see "Destination Address" This is currently FF:FF:FF:FF:FF:FF which is a broadcast (it is sent to all PCs on LAN.) At the bottom you will see that there is a destination IP 10.123.123.102 (which is the host) and the destination physics is zero, that is because the MAC address of the Host is not yet known, and the request is for that information.
    Highlighted in Blue;- At the top we see the source MAC address, which is the Gateway MAC. At the bottom, we see the Source MAC/IP, which again is the Gateway.
    Now that looks like a genuine ARP request, and it will cause no problem because all the info in correct, however, it is in fact a request sent from another PC on LAN 10,123,123,101/00:03:0D:0F:FE:01 but there is no way to verify it, as you can see from the info contained.

    So, a reply from the Host is then made:-

    ARP reply 01.jpg

    Highlighted in red: The destination of the reply, which is going to the actual gateway
    Highlighted in Blue: This is the info showing the Hosts IP and the Hosts MAC address (which was requested)

    So no problem. Connections would work as expected.


    Now to a simple spoof DOS attack.

    First the packet content of the spoof dos request:-

    ARP spoof dos request.jpg

    Highlighted in red: The info is exactly as before.
    Highlighted in blue: You will see at the top that the source MAC is in fact the MAC of the gateway, and a number of firewalls will simply check that info, and even with a rule to only allow ARP from the gateway, the packet would be allowed. But if you then look at the Source physics you will see that the source MAC is not the same, in fact that MAC does not exist on the LAN, but the IP is the Gateway. The problem here is the fact that the Hosts ARP cache is updated with the source physics information, so on an unprotected OS this info will then update the host cache and the host will then attempt to communicate through that MAC address thinking it is the correct MAC of the gateway, as seen below:-

    Arp dos reply:

    ARP dos reply.jpg
    Now if a check is made on the hosts ARP cache, you will see at first that the IP/MAC is at first correct for the Gateway, but after that one spoofed ARP packet, the Cache is poisoned and the Host will be DOS.

    02.jpg


    Both the above requests where made from the attacker PC:-
    10,123,123,101/00:03:0D:0F:FE:01
    But there is nothing in the requests to show this, so any attempt to trace will simply go to the gateway (or spoofed gateway)


    Hope this makes thing a little clearer.


    - Stem
     
  21. wat0114

    wat0114 Guest

    Stem, your pictorial example is excellent :thumb: This is something I was secretly hoping to see from you in a long, long time ;) This ought to be a sticky. Thank you!

    BTW, can you shed some light regarding my post #44?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is one of the main points I have been attempting to push forward for some time.
    ARP protection is only good for the local LAN.
    If you connect to an ISP LAN(or other) then simply placing a router in between you and that LAN is taking away any protection your software firewall may offer in terms of ARP/DHCP/DNS spoofing protection. If the router does not contain this protection from an external attack, and is spoof attacked, you will not know, and then connections going out of the router could be going anywhere.

    - Stem
     
  23. wat0114

    wat0114 Guest

    Okay, now I'm clear on it. Thank you Stem! My router, D-Link DIR-655, has some sort of "Anti-spoofing" option in it which I've enabled, but the description in the help file is rather vague so I don't know how effective it is. It's probably not that slick because its just a typical plastic box home router. However, I would tend to agree with an earlier post in this thread where ARP attacks are probably more a concern on a public wireless network rather than within an ISP's network. Maybe I should be more concerned, except I can't see how it could be easily done without the ISP being able to trace the attack directly to the source. Would it not be a high risk for someone to attempt this on a public ISP?
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The management of the ISP subnets are controlled by the laws of the country it is in. An ISP will(should) control all ARP at gateway, it is not difficult to do. My own ISP binds the user IP to MAC and this is then kept. I can actually block all ARP from my ISP LAN without any connection problems, I can just set a static ARP entry for the gateway.
    To attempt spoofing on a public ISP, not sure of what enforcement is in place. I have been meaning to connect to one to monitor again, but spare time is in short supply.

    My main reason for pushing the subject is to make users aware. I believe it wrong that such protection should not be in software firewalls just because maybe a vendor puts forward it is not needed, but I know it can be in certain situations/setups.

    I dont want all to start panicking over this. These spoof attacks are well known to ISPs, and as I said, they can be easily intercepted at gateway.


    - Stem

    EDIT: Lets just class it as a learning thread
     
    Last edited: May 7, 2009
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Stem thanks, for the info. It has been 20 years or so ago since I last did something with communications (old fasioned mainframe to midi to dumb terminal, later-on PC's with terminal emulation to encapsolute mainframe aps in OS/2 appearance).

    I have also got Mac-IP binding on the clients, through my configuration utility. So I figured that the fixed lines were safe, but am not that familiar with wireless security.

    Thanks for the post and the nice educational samples
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.