Please Help!! Why my Anti-ARP SPOOF RULES DO NOT WORK ?!

Discussion in 'LnS English Forum' started by Kaelthas, Oct 6, 2007.

Thread Status:
Not open for further replies.
  1. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Hi,my pals!
    Rcently there are a lot of ARP attacks in my LAN,so I edited my own LNS rules by RAW plugins and Packetyzer,but it simply dosen't work.If I apply "1 arp OUT" and "2 arp REPLY " with "ARP : Authorize all ARP packets" ,my internet connection will be down,there will be a lot of ARP packets blocked between my rooter and PC.If I apply "---1 ARP OUT","+ 2 ARP IN " and "ARP : Authorize all ARP packets", the result is the same---I've tried for the whole night and still can NOT figure out what it is the problem.My Net: WAN>Router>PC

    And I use Phant0m's v8,I attached my rules,LNS screenshot's,Packetyzer's cap,as well!!

    Thanks in advance!!

    Kael
     

    Attached Files:

    Last edited: Oct 6, 2007
  2. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Maybe you lack the rule to reply arp request, but I suggest only two rule deal with the arp poison attack, one is block arp reply not from your gateway, help to protect your arp table, the other is allow all.
    You know, any protection apply at the endpoint is limited, these two rule is enough, you'd better use some tool to notify you when attack begin, and find out the source.
     
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Kaelthas :)

    ARP Attack you say... okay.

    1)

    In what kind of LAN your PC is connected?
    Home Lan, Corporate Lan , a University Lan ?

    Is it a portable PC sometimes connected to your ISP sometimes connected to a Lan ?

    2)

    You upload a Packetyzer capture session, which is a good idea, but no LnS log... It's easier to works with this log
    (BTW: the raw log is better since it can be imported in a spreadsheet for processing...)

    3) There is an anti-MAC spoofing rule is this rules set: +Anti-MAC Addr Spoofing

    Did this rule is not enough to prevent spoofed ARP packets with a false MAC address of your PC ?

    As far as I know, the ARP/MAC anti-spoofing must be controlled at the level of the LAN Server not at the level of worksations...

    Many Router have an option to set all workstations local IP addresses to their MAC addresses and therefore prevent any spoofing and alike...

    This setup is possible when workstations have a fix IP addr. which is not possible in la large corporate or institution LANs. (hence my 1 st question).

    Linksys Router BEFSX41v2 Local IP / MAC


    :)
     
    Last edited: Oct 7, 2007
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Climenole,

    The rule '+Anti-MAC Addr Spoofing' only purpose is to block packets containing the victims MAC addy for the source section... ARP securing requires bit more work, but isn't difficult to-do.

    ARP attacks can be easily controlled at the workstation... ;)
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Phant0m :)

    Happy to see you here.

    It's more simple to control this at the server level IMHO... but if the PC is connected to a corporate or institution LAN with dynamic local IPs Addr. an other layer of protection at the workstation level is a good idea.

    Since you're working on these issues further than me you'll be able to give a solution to Kaelthas here or in your Mt-Olympus forum which is, I guess, the right place to ask questions about your famous Phant0m rules set...

    Have a nice day.

    :)
     
  6. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    The rule '+Anti-MAC Addr Spoofing' is not needed when you use the rule "block the reply not from my gateway", the lose of connection either your arp table or gateway be changed to the wrong one, I found there is a useful tool to protect your local arp table, at the sametime, it broadcast(request or reply) you mac address when attack begin, but if the attack frequency is too high, or use the random generated address each time, it is very dificult to watch and sniff the possible source, it is the kind of Dos attack.
     
  7. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Climenole,
    Thank you for your reply!
    1) My PC is at a University LAN by a router that is connected to internet forever.
    2) I have upload LNS' raw log in my attachment as you requested.
    3) As phant0m pointed out:the "+Anti-MAC Addr Spoofing" won't work,I have tried.


    Kael'thas
     

    Attached Files:

  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Is there a reason why you haven't bother posting the rule details or attach an importable rules file containing the rule which "block the reply not from my gateway"?

    I know it sounds so simply and easy, but for the majority who uses Routers also sharing Internet with another machine or two or so, you going to find blocking any ARP reply thats not from the persons gateway will be problematic to say the least ... for those who wanting to File and Printer share. :p

     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    "+Anti-MAC Addr Spoofing" rule will only be triggered if someone spoof your MAC addy..., having your MAC addy showing for source where it should be only showing for destination.

    You'll find that you'll be overwhelmed more by LAN attacks using random MAC sources.

    Kaelthas, don't block the Router ARP Requests... :D
     
  10. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Kaelthas :)

    You say you're in an University LAN. In such local network AFAIK the local IP of workstations are dynamics not static therefore rules like these ones will block communication between your PC and the LAN but not prevent any IP/MAC spoofing !


    Home Router Range
    Ethernet type: all
    Protocols: all
    Packets: in and out

    IP range between 192.168.0.3 to 192.168.0.253

    and this one: Home Router 255
    Ethernet type: all
    Protocols: all
    Packets: in and out

    IP 192.168.0.255

    ARP (Address Resolution Protocol) is used to resolve IP/MAC addresses.

    The ARP spoofing concist in sending ARP packets over a LAN with forged IP/MAC addresses to fool the network. The idea is to associate the IP address of a worksation (yours for example) to the MAC address of the attacker workstation OR to generate a Denial of Service for the targetted workstation with packet associating the targetted Workstation IP to a non-existent MAC address.

    In a small LAN it's possible to prevent this by keep a permanent link between the static IP addresses of workstations and their MAC addresses. Most of Router have such features...

    In a large LAN like the one on which you are connected it's most of the time impossible to give static IP address for each Workstation and the method I'm talking previously won't work.

    How to prevnt this in such LAN? I don't know: this is out out my knowledge and skills scope.

    But I'm sure the way you're try to prevent ARP spoofing is wrong.

    Since you're using the Phant0m rules set may I suggest you to ask this question directly to the author of theses rules in his Forum at Mt-Olympus?

    There: Mount Olympus Forum

    Phant0m tell us it's easy to controlled this at the workstation level and I'm pretty sure he's right and have the solution for you.

    I can't help you more than this since :

    I don't have enough knowledge of these wide LAN issues
    I don't used Phant0m recent payware rules set and installer
    and I'm a bit too lazy to study both wide LAN issues and the Phant0m R.S. ;)

    Here my suggestions:

    Ask to the author of your paid rules set to help you at his forum
    and
    Talk to the Sysadmin of the University about this ARP problem.
    He is a part of the solution, isn't ?

    Last friendly remark: you post here the recent Phant0m rules set which is a part of the Phant0m rules & Installer.
    Normally the access to these rules must be reserved for Phant0m's clients not everybody...

    :)
     
  11. Kaelthas

    Kaelthas Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    20
    Climenole,
    Thank you for your reply! I did NOT know what you've pointed out cos I thought no one can use my OWN rule set without installing,please,delete my
    rule set and Packetyzer's cap for me, thank you!!


    Hi,Phant0m,
    Thank you for your reply,I am sorry for posting my rule sets here cos I thought nobody can use it without installing.
    There are many guys in my LAN in the university ,who do NOT concern
    about themselvs' and others' online security and safety,their PCs, infected by driven-by downloaded VIRUS and TROJANS ,are always attacking me and consuming the bandwidth and I can do nothing about it but block any traffic
    from them nor share any files with them--you know how silly MS has been--
    Windows automatically open many backgroud services by default.

    Thank you the rules now is completed,and no more ARP poison. But I just wonder why I can not use RAW rules ( I mean "1 arp OUT" and "2 arp REPLY " )? The log appeared only once and never shows up again,why?So I have to use normal rule.o_O

    Kael'thaso_O o_O
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Kaelthas,

    ~Comment~
    Normally, in a setup as yourself (untrusted LAN), I would place a static ARP entry for the gateway(router), then block all ARP.

    There are a number of available (free) tools that can easily DOS via ARP,.. the only 100% protection is to block all.

    A static ARP entry can be made via the command window (windows start~ run~ [type] CMD In the popup window, type ARP -s [IP] [eth (MAC) address]
     
Thread Status:
Not open for further replies.