ARP: IP/MAC binding?

Discussion in 'LnS English Forum' started by Stem, Jan 1, 2008.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I admit I dont normally install L`n`S, this is only due to the fact I mainly install firewalls for support issues, but as this dedicated forum is here, I do not usually installed L`n`S.
    So, if I may ask,.. is there a way to create rules for ARP to bind IP to MAC (to help prevent ARP poison), I have not seen this in the latest version (which I installed for a short time), but this may be (is it) in the raw plugin?

    Regards,
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Stem,

    I'm not sure what kind of binding is required against ARP poison, but yes, it is possible with raw rule to specify IP and MAC address in the ARP data payload through raw rules.

    With the new SPF Rule based feature in 2.06p2, it is also possible to accept specifically the ARP Resp corresponding to the ARP Req, or to have the PC answering only ARP Resp for ARP Req that were asked to it.

    Hope this answers your question.

    If you want to give a try to SPF rules, I can send you the ARP SPF rules I'm currently using.

    Regards,

    Frederic
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Frederic,
    It is just a case of my needing correct filtering with bindings of gateway IP/MAC to/from PC IP/MAC (to directly block ARP scans/ spoofed)

    A initial ARP request to gateway is broadcast, so I am not sure of your description. Do you mean a timeout is allowed, or is filtering of reply based on IP only?
    Example:
    Initial request from PC(IP/MAC) will be sent to gateway IP broadcast ARP(FF:FF:FF:FF:FF:FF) (destination physics 00:00:00:00:00:00)
    Reply will be made from gateway IP gateway MAC to PC(IP/MAC)
    So the reply(source) MAC address will be unknown within the packet.

    Thanks, but I will take a look myself (when time available). It will give me insight to see if this will be difficult for other users to set up.

    I can then check the filtering against some of the tools used to spoof/poison the ARP cache

    Regards,
    Stem
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, with SPF rules you can specify a timeout during which the ARP Resp is allowed.
    But the main point is to associate Req/Resp with the IP address to be resolved (into a MAC address) by using the ARP data content.
    A first SPF Rule will detect the ARP Req from the PC to the Broadcast address, and an entry is added in table with the value of the IP address to be resolved (+ a timeout).
    The second SPF rule will detect an ARP Resp to the MAC address of the PC, and it will check in the ARP data content if the IP matches one entry from the table.
    For a standard user, using the raw rule edition and using the SPF Dialog Box configuration is probably too complex. Fortunately to use these rules there is no need to understand them fully, and even no need to have the plugin installed.
    Since some other users asked me the rules, I've finally worked them a little bit more and I've put them here:
    http://looknstop.soft4ever.com/Beta/2.06p2/SPFRules/SPF-ARP-Rules-1.01.rie
    I'm also interested to know if this kind of SPF Rule can detect/block these attacks.

    Thanks,

    Frederic
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Frederic,
    No, such filtering would not itself block programs such as Netcut from making spoofed DOS. Unfortunately, such as Netcut perform DOS by sending a spoofed ARP request, so, unless there is some ref or inbound filter to check on gateway IP/MAC binding, then such a DOS attack would succeed.

    I have had a quick look at the new raw rules, and I will admit to some confusion.

    Looking at the offsets in the DNS rule:-

    dns.gif

    I can see you have placed offsets to check remote IP / Identification and source port.

    Looking at the DHCP does confuse,

    dhcp.gif

    What is the 2nd offset pointing to? I have looked at DHCP boot packets (request/reply) but see no ref to this offset, and find nothing to match at that offset.

    Regards,
    Stem
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Stem,

    It's the Transaction ID. :)
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, the name of the field is usually XID.
    Offset Type 2 means the offset value start at the UDP header position, so the offset for the first byte of the UDP Payload is 8.

    Frederic
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Phant0m,

    Thanks,

    After posting, I did realize my mistake when checking the packets, I actually compared miss_matched request/reply. (I need new glasses)
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Frederic,
    Yes thanks, I did find the info you had posted about the offset value
    Sorry, that as confused. If you place an offset of 12, why would this then be 8?
    My confusion: As for the local port: offset 0(first field), would this become -4?

    EDIT:

    Is there any more info available with respect to the raw rules, such as entries for the variables shown in "Field criteria"

    Regards,
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    If Sender hardware address (SHA) & Sender protocol address (SPA) fields are not spoofed then there is no problem to create rules that would accept only ARP packets coming from the real gateway (and probably this is already included in Phant0m & Climenole rulesets).
    If all fields are spoofed (ethernet header, SHA & SPA) then nothing will differentiate a spoofed ARP Req from an ARP Req coming from the gateway. But in that case what would be the issue ?

    Frederic
     
  11. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    No, the ports are really at offset 0.
    At offset 4 you have length + checksum.
    Then starts the real UDP data, and for DHCP:
    At offset 8 you have OP/HTYPE/HLEN/HOPS.
    At offset 12 you have the XID.

    Frederic
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    If I send a ARP request to users PC on LAN, with gateway IP and spoofed MAC (as with Netcut), please explain how the current ARP raw rules will deal with this. (I can post packet contents of spoofed ARP from Netcut if required, or even send you Netcut (I do not think this prog is still available))
    With respect to others you mention, I am only currently interested with default rules given/posted by yourself.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Frederic,

    I think there may be a possible misunderstanding or confusion between us. I have little spare time now, I will make a better post to explain (with results from checks/tests), but this may take a day or 2 due to ongoing commitments.


    Regards,
     
  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    There is an old post with some details:
    https://www.wilderssecurity.com/showpost.php?p=506705&postcount=33

    Some new criterias were added since that post:
    - EQUAL_VALUE1OR2ORMASK to compare with the 2 values and the mask (the mask is considered as a 3rd value)
    - NOTEQUAL_VALUE1AND2ANDMASK
    - EQUAL_MY_MAC => to compare with the MAC address of the ethernet adapter Look 'n' Stop is configured on
    - NOTEQUAL_MY_MAC
    - PORT_LOCAL_IN => in range 1024-5000 for XP and before, in Range 49152-65535 for Vista
    - PORT_LOCAL_OUT => not in range 1024-5000 for XP and before, not in range 49152-65535 for Vista

    Frederic
     
  15. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Ok, thanks.
    No problem if it takes some days.

    Yes, please. I would like to understand which bytes are spoofed exactly.

    Frederic
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Have set up L`n`S on internal LAN

    Version 2.06p2. I added the ARP raw rules you posted, then set the current ARP allow rule to block (EnhancedRulesSet.rls)

    Setup: Host with L`n`S:
    pc_setup.gif

    Attacker at 192.168.1.101 [00:03:0D:0F:FE:01]

    Gateway at 192.168.1.1 [00:12:17:B7:A7:EE]


    Current ARP cache on Host shows:

    before.gif

    ARP spoofed Packet from netcut:-

    packet.gif

    ARP cache after attack:-

    after.gif

    Full DOS
     
    Last edited: Jan 8, 2008
  17. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Stem

    Does this stop NetCut cutting a connection, Anti NetCut 2.

    Take Care,
    TheQuest :cool:
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi TheQuest,

    I did install anti-netcut, but did not test it, this was due to its attempts to make an FTP download and attempt to take control of the browser to connect to Tools4free.

    I did originally post these finding here

    Regards,
     
  19. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Stem

    Thank you for your quick reply.

    Also so I should have done a search. :oops:

    Take Care,
    TheQuest :cool:
     
  20. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Stem,

    Thanks for doing this test and providing the full details.

    So, what we need is simply a rule which blocks packets with SPA containing the IP address of the gateway and SHA not containing the MAC address of the gateway.

    Do you consider IP & MAC address of the gateway is a known and fixed information and so editing a rule is not a problem, or do you expect the system to be completely autonomous to get this information ?

    For the first case I can provide a rule quickly (to be edited with the raw plugin).
    For the second case it would require more work, because a special plugin would be required.

    Note: I'm surprised Windows uses an incoming ARP Req to fill the ARP table. If it would rely only on its own Requests, it would be safer. But maybe this optimization is part of the protocol (I haven't checked).

    Regards,

    Frederic
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Frederic
    Yes, personally, I do prefer to be able to manually manage such entries.

    Regards,
    Stem
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Manually binding Gateway IP with Gateway MAC can be done already, and probably be the safest ... assuming how soon and where this information is retrieved. This not very convenient for most users, even with an tutorial. Also the rule wouldn't be included or included and enabled and used by default..

    As I suggested before, If Look 'n' Stop could store variables based on anything in a packet header, one of a number of things that could be done is secure ARP communications .. from the very beginning. A rule or rules through this means could be included/imported and enabled by default on global scale and require zero manual configuring. ;)
     
  23. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Here is the rule:
    http://looknstop.soft4ever.com/Rules/En/ARP-AntiSpoof.rie

    With the RawRule edition plugin you need to edit fields 2 & 3 to put the MAC & IP address of your gateway.

    I haven't tested it with NetCut, but I verified it works on some other ARP packets.

    Frederic
     
  24. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Phant0m,

    If this was implemented how would you detect a packet is containing the MAC address and IP address of the gateway ?
    Typically on the ARP Spoofed packet above, what would prevent the variable to be set to the spoofed MAC @ ?

    Frederic
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    - What's the communication type a Internet-configured computer through Ethernet first perform?

    - Create & Read-only... ;)
     
Thread Status:
Not open for further replies.