ARP Spoofed packets [split posts]

hi stem
i need ur advice
i experience real cut of net service many times per day
despite outpost 6.5 attack detection is set to maximum
i think this is a kind of dos attack from one pc on the public wireless lan

in the outpost log , i find the following
"unwanted arp relpies form "192.168.1.103" host not blocked "

why outpost did not identify this dos attack "if this is really a dos attack " i don't know "

why there's no possibility to block the intruder "despite in attack detection setting i set it to block intruder for 5 min"

i guess this is an atypical dos attack using a program other than the well know members "netcut , winarp spoofer ,ect ... " a sniffer that i don't know

 

Are these events similar to what you described at
http://www.outpostfirewall.com/forum/showthread.php?t=23987
a couple of months ago?

 

minoka
thanks for ur interest
but in fact it's a completely different situation

in the 1st situation
i know exactly the other spoofing host and the spoofing program "both netcut and winarp spoofer" and we were doing this with my friend on the same public lan as a test

and BTW i was in contact with agnitum and i gave them full details "email of 3 pages with some screen shots and debug log and configuration file
and they promised they will analyse this and tell me if it's due to a faulty configuaration or a bug in outpost

but in this situation
-i am really disconnected for minutes from internet servive
- the attack detection log is referring to one host "certain one" evey time i'm disconnected with exact ip address
3rd i don't find a single reason why the host is not blocked

also i have a question for u
although outpost 6.5 and 3.5 both have the same arp protection settings "almost the same setting page"
but about the arp rules "which lie behind these settings , are there rules different in both versions ??
is there a method to explore theses hidden rules ?

thanks again

 

Hi hany3,

About the last paragraph of your post above. I am not sure I understand what you mean with "hidden rules".
In any case, I am not an expert where these attacks are concerned, so I have relied on Paranoid2000's FAQ about Arp filtering (over at the Outpost Firewall forum) and Agnitum's own documentation about the same.
Would you like me to post links to these?

 

yes please
that will be very kind of u

BTW , when i used earlier versions of outpost 6.0 there was an option in the right click menu over the system tray allowing the user to instantly switch between normal and background startup modes , but in latedt version i don't see that option in the right click menu

 

I do not see an option to switch between normal and background modes either, sorry but I do not remember what options the icon right-click offered in pre OP 6 versions.

The links:
Paranoid2000's ARP Faq:
http://www.outpostfirewall.com/forum/showthread.php?t=15061#arp-faq
(this is part of the OP 3 - What to expect thread)
Agnitum's documentation about ARP (also per v 3) is linked to in the faq above.

Since there have not been any changes in faq and documentation, I am assuming contents still apply to OP 6.

This Agnitum's kb article describes main attacks that Outpost protects from and it covers the 2009 series.

As I said, I am not an expert at this, so stem or someone else will, hopefully, answer your specific questions.

 

thanks for the links i'll check them right now

about my question , i googled the answer now
when right click on system tray and exit it still gives me the option to switch to the background mode instead of actual exit

 

VPN Tunneling here
Domain Network here

Time IP address From MAC address Conflicting MAC address Rule
2009-05-11 20:12:15 10.10.0.1 00-00-00-00-00-00 ARP Rule

Attacking from another router into my network... Test.. Blocked

What you all have to worry about it the new ssl that can break into your system by-pass the router. Public gateway more like airport or Hotspot.

 

hany3,

You wrote

. I thought you meant OP's icon directly If you choose the option Exit from that right-click submenu, then yes, there is a choice there (similar to the one offered when choosing suspend protection).
Glad you found the option though!

 

It is possible thru questioning to find faults and theoretical problems in anyone's computer setup. Speculation is of limited value and can be deceptive until actual tests are performed.

I want to perform tests in front of a router to establish whether I am being spoofed. Does this have anything to do with my computer setup?

 

hey stem....
this might not be the correct place to ask...but stil ....

i read discussion between u and fedreiek on ip/mac binding.....it was very useful....

i need a help now...

i am abt to start a project on wifi security....i want to implement ip/mac binding...

can u send me any materail or tutorails or any documentation regarding it or links to website etc....

vinay.g.jain {at} gmail.com

 

Hey!

I am totally non-professional in these issues, but interested about this "stuff".

A freeware software called Seconfig XP states this about it:
- Can protect Windows side against most ARP spoofing/poisoning attacks.

How good protection this really is?