The everlasting ARP attack

Discussion in 'other firewalls' started by bonedriven, Jul 22, 2008.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I encountered massive ARP attacks these days.My Winarpattack gives nonstop warning that someone is banning my access to gateway.Luckily,the noob attacker doesn't do sniff stuff but just want to disconnect me.
    It gives me a very good chance to do some tests with somebody's willing help.
    But I can't explain all these strange issues happened to my computer.

    I use PC Tools firewall currently and firefox with torbutton.
    I have do these puzzling tests for some days and got these issues that I can't explain.

    I set a rule in PCT fw which block all TCP and UDP connection with the attacker's ethernet address(Mac address).And turn on Winarpattack's protection function.I still get disconnected only if I use Tor to visit sites!Why is tor survive in this ARP attack? After that,I noticed in the fw log,that the rule I created above blocked my outbound connection with the DNS server which has the same MAC address with the attacker's PC.Maybe that's why I can't visit sites without tor?So I modified the rule to give an exception to allow remote port 53(DNS server port).Then I can surf the net again without tor.But,when he's not attacking me,blocking all the TCP and UDP(including the outbound DNS request) won't hinder me from visiting sites.It means my outbound DNS request has something to do with the ARP attack.Why is that?
    In a lan,is one of the pc usually set as a DNS server?Then why do they have the same mac address.
    I have done more tests which just make me more puzzled.I think I'd better hold on here at the moment.
    This thread is only for technique discussion.So let's just stay away from the topics like why does he wanna attack you.
    p.s 1.Hope my bad english has made my point clear.
    2.How I wish to have a firewall that can beat ARP attack.
     
    Last edited: Jul 22, 2008
  2. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Apparently Outpost has a plug in to help protect against this.. Also the old Sygate pro actually did have some protection against ARP attacks.
     
  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Yeah,I have just installed Outpost 2009 and will try it today.However,here's a post from Outpost forum:
    Link

    Originally Posted by PapaGigas

    Vulnerability in (Ethernet) Attack Detection plug-in:

    Ok, let’s just say I am sniffing the LAN wire with a dedicated tool, and suddenly I sniff an ARP request made from a trusted host to another. If I reply to that ARP request (with a spoofed/malicious ARP reply) first than the other trusted host, my reply will be validated by this security feature, and the reply from the trusted host will be dropped, right? How will this prevent a man-in-the-middle attack? Sorry, but it’s a vulnerability.

    How to create effective Address Resolution Protocol cache protection:

    The firewall should only accept ARP requests that came through the broadcast address (if an ARP request is received through any other address than ff:ff:ff:ff:ff:ff, that request must be dropped, and the MAC address of the senders NIC should be block/blacklisted).

    The firewall should only accept ARP replies when a previous ARP request was sent out by the localhost into the Local Area Network as a broadcast (any other ARP reply must be dropped, and the MAC address of the senders NIC should be also block/blacklisted).

    The firewall should always block/blacklist any NIC (through is MAC address) that tries to broadcast ARP requests identifying themselves with more than x IP addresses in less than x minutes (both parameters should be manually configured by the user, and the pre-definition should be something like: “1” IP address in less than “60” minutes).

    The firewall should always block/blacklist any NIC (through is MAC address) that replies to an ARP request made by the localhost, in case it detects multiple replies to the same request (this is the only real way of dealing with the man-in-the-middle attack).

    The firewall should warn the users if it detects any unusual behaviour on the wire, so the users could take active/preventive actions (ex: maintain MAC addresses blocked, allow only MAC address A, allow only MAC address B, view/edit ARP cache, etc).

    The firewall should have one table to manage the static entries, one other table to manage the dynamic entries, and one last table to manage the blacklisted MAC addresses, so users could have the ability to manage the way ARP cache is updated.

    PS – There are still some vulnerabilities regarding ARP, like attacks made to the switches we use now days in our local area networks, so here’s a solution:

    The switch/routers should generate and broadcast some sort of security requests (throughout their Local Area Networks), every time they detect any changes made to their addressing table. Those broadcasted requests should ask the entire Local Area Network, which hosts are currently using those Media Access Control addresses, that have just tried to change their entries in the switch/routers’ addressing table (tried, but didn’t succeed, lol, at least not yet, first the switch/routers need to make their own little security check), and wait to see if they get any multiple replies to the same request (within a certain amount of time), so they can guarantee for sure that the packages received are really authentic packages from trusted hosts in the network.

    If a switch/router detects more than one reply to the same security request that it had previously broadcasted, it would need to perform a check within its addressing table, to find which of those Network Interface Cards were previously on it, so the traffic could only be allowed to that single Network Interface Card that was, and block/blacklist any other Network Interface Cards that tried to spoof their Media Access Control addresses, in order to take advantage of the several Addressing Resolution Protocol’s weaknesses (as you said: “ARP does not use any digital signatures or certificates for verification”).

    If a switch/router blocked/blacklisted all the Network Interface Cards that responded simultaneously to its request, it would originate a Denial of Service to one of the trusted hosts within its own Local Area Network, but on the other hand, if it doesn’t block any Network Interface Card at all, it wouldn’t be doing much (in a security point of view). So, I guess my solution is the best one to apply for now, while trying to prevent this kind of exploitations from happening within our day-to-day networked environments (in conjunction with the preventive measures I mentioned in my quote/report).


    There are still some features that need to be implemented along with this, such as:

    Rollback function: In case a malicious host tries to impersonate a trusted one (while the system is rebooting, or in case a Denial of Service attack was made to that same host), the router should rollback its entries on the addressing table (if that Network Interface Card appears to be on its “original” position).

    Admin report function: In case the router detects any unusual behaviour on its wire, the administrator should get some sort of warning from it (so he could deal with the situation as soon as possible, preventing worst case scenarios from happening).


    By the way, I know that switches (like hubs) don't have physical addresses, so why not just use switch/routers instead of switches (like in the old switch vs. hub discussion, where security and cost effectiveness, were two of the main reasons why people changed their hardware), so they could detect/prevent Media Access Control spoofing (as I previously explained)?


    Last but not least, I really hope I had made myself clear (because I know my English is a little bit hard to get, lol). I must re-affirm that I am Portuguese, so I guess that would be normal (normal para mim, e para todos os portugueses que frequentam este espaço, lol, somos mais que as mães).

    With my best regards,
    PapaGigas


    Since it were related to the old version outpost,I do have some confidence on outpost 2009.We'll see today.
    By the way,I remember Stem said only binding IP-Mac works as a final solution and Jetico v2 is the only firewall that can do it.If Stem read this post,can you confirm it?
     
    Last edited: Jul 22, 2008
  4. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi,all

    I'm back with 3 snapshots during an attack.
    These are from Outpost firewall 2009 Event Viewer:

    [​IMG]

    [​IMG]

    [​IMG]

    The firewall detected the attack and blocked that ethernet address.However,I can't surf webs anymore because my DNS requests are blocked too.They have the same Mac address.
     
    Last edited: Jul 23, 2008
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    Irrelevant for most home setups. Unless you got someone sniffing your cables ... in which case ARP is the least of your problems.

    It is quite likely that the DNS server is also the DHCP server. It will send occasional who-has arp broadcasts, and if you block them, you may inadvertently blacklist yourself off the DHCP lease, at the ISP side.

    The chances someone will spoof the DNS are not that high. If your ISP is semi-serious, they will make sure this doesn't happen.

    If you wanna be cool, install Linux, install arp-watch and study the network. tcpdump also works for monitoring traffic.

    Mrk
     
  6. wat0114

    wat0114 Guest

    I agree with Mrk on this assessment. Maybe it is an attack, but the possibility they are legit broadcasts is also possible, imo. If I remove my NAT router from my connection and go directly to my modem, using Wireshark I see streaming broadcasts, one after another, constantly, mainly because the connection to my isp is like one big happy LAN. This is one of the reasons routers are great, because they will block all this Internet "noise".

    I knew this thread was around somewhere. Check out my post 3 for what I mean.
     
    Last edited by a moderator: Jul 23, 2008
  7. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    NO!NO!NO!:mad:
    It is neither some noises,nor false positive!
    Because I know who is attacking me.I know his name,what clothes he's wearing today and at what time he's using the PC to attack.
    Is that enough to prove this is an attack?
     
    Last edited: Jul 23, 2008
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Simple: report this to ISP, police.
    End of story.
    Mrk
     
  9. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    I thought of the same thing, but I think he wants to defeat this guy ;)
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Change the IP? Unplug the line?
    Use static ARP assignments?
    All simple solutions...
    Mrk
     
  11. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    What about telling his mom?:mad:

    I have changed my DNS server to another from opendns.com.

    Maybe it'll solve the problem.If it does,I must say Outpost does a good job in arp attacks,at least normal arp attacks.:)
     
  12. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Which version of Outpost are you using. Also Does Comodo Version 3 have ARP Protection. I just recently installed Sygate Pro 3408 version & suspect this old firewall did indeed offer ARP protection of some sort. I agree with the author of this thread don't write off ARP attacks as network "Noise" & PLEASE NO LINUX>
     
  13. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Comodo v3 has an ARP protection.
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    A lot of FWs declare anti-ARP protection. Though, I never seen just a single one that would really do it. Do not believe the claims, check everything by your own. As for me I just do not believe Comodo really can protect from sophysticated ARP attack. All it can do is just to filter some ARP messages. But until it shows a way (at least theoretical) to prevent gateway spoofing with your fake MAC addr I do not believe those claims.
     
  15. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Would you mind sharing why Comodo does not protect from ARP attacks? I don't use Comodo so it doesn't really concern me, but I am just curious.
     
  16. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Yes please tell us your data to back this up.
     
  17. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I have to agree with the alex_s here.

    Outpost has failed in this arp attack.
    Yesterday the attacker changed to another PC to do the attack just not to let me know who attacked me(He is a noob about internet tech as I have said before).He had used someone else's pc to do the attack, now he uses his own.
    why do I say Outpost failed?
    1.It is not that the attacker is using the DNS server to attack,it is that he successfully spoofed my system that his computer is the gateway.When he use his own pc to attack,outpost blocked the mac address.I can't surf because dns requests were blocked again showing in the firewall log.I have to disable the "block intruder for X mins" function to avoid cutting off my own dns requests.
    2.The outpost reports many Gate way doing an ARP-scan attack.Actually it shows my system has already accepted the wrong ip-mac pair.Fortunately,outpost wisely recognized it was the gateway and didn't block it even if you turn on the "block intruder for X mins".However,all my packets which is supposed to go to the gateway,has already gone to the attacker's PC.If he's not a noob who just wants to cut my net,he would sniff,or he could use his firewall to block my IP and then he could successfully cut my net.

    Comodo has less protection on ARP than Outpost.It has only two functions about ARP:1.Protect the ARP cache.2.Block gratuitous ARP frame.However,you can create rules based on ethernet address.Although I haven't tried it in an arp attack,but I think it's worse than Outpost at this aspect.
     
    Last edited: Jul 24, 2008
  18. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Search and read these BD, they may help you understand your advesaries tactic's .... MAC Address and ARP Spoofing - antionline.com, ArpON ARP Handler Detect and Block ARP Poisoning Spoofing - darknet.org.uk, A Quick Intro to Sniffers - irongeek.com (site with several penetration testing video's including the use of ettercap) and The Ingredients to ARP Poison - informit.com. Unless the proactive kind of help and direction I suspect you're after arrive's in a time that's satisfactory for your need's, I'd suggest asking elsewhere (you'll know where after reading through the content).

    S
     
  19. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Ok, I read up on ARP attacks. I'll bet that was happening to me too. Comodo 3 whatever latest stopped it. Comodo is now a really good firewall again. Glad to come back to it.
     
  20. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,216
    Hi, Wat0114.
    I need some advice. I have router Edimax ADSL 2+ AR7084A router (NAT router is always enabled by default), is there any possible way that I can simply use Outpost to block all incoming connections instead of NAT?
    I have to completely disable NAT to do that, but when I did this all the network traffic was blocked, I couldn't surf.
    Basically, what I really want is that Outpost blocks attacks and incoming/outgoing connections without NAT.
    Is this possible?
    Thanks.
    I just want to test Outpost Pro with something I've come up.
     
  21. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hey,offtopic!!
     
  22. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Thanks for the links!Lots of ARP related stuff to learn.
     
  23. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi CoolWebSearch,

    Out of courtesy, you should open your post as a new thread. Perhap's - "Ping wat0114"


    S
     
  24. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    Is this whole thread a joke or what?
    Are you and your friend on a ISP lan, a private lan or a pubblic lan?

    If you are on an ISP I would advise you to stop fooling around or sooner or later you will be contacted by the ISP lawyers. Any descent ISP should have already blocked your "friends" connection and started legal procedures!

    Arp spoofing can be prevented by the network administrator. So if you are on a lan talk to your network admin and tell him to enforce the network by binding IP adressess to mac adressess.

    If this is only a game, there are 1-2 ways of preventing arp spoofing but they are not legal, since you will attack the network too and will "take down" the dchp server. Or you can try AntiArp, but I doubt it will help.

    ps. I am surpprised that this thread is not already locked by a moderator.

    Panagiotis
     
    Last edited: Jul 25, 2008
  25. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I'm not coming to ask whom should I call,police or his mom.
    I don't see anything wrong with this thread.If you don't like it just don't read it.
     
Thread Status:
Not open for further replies.