Avoiding ARP spoofing attack

From Notes_Wiki
Revision as of 10:43, 23 June 2013 by Saurabh (talk | contribs)

<yambe:breadcrumb>Security tips</yambe:breadcrumb>

Avoiding ARP spoofing attack

ARP spoofing attacks are very easy to perform, especially since tools like 'Cain & Abel' which allow script kiddies who do not even understand ARP to perform spoofing attacks. It also generates fake SSL certificates and performs SSL man-in-the-middle attack which can work on novice users who accept self-signed certificates even for websites like gmail.com / bank websites.

To avoid getting affected from ARP spoofing attack static entry for gateway MAC address can be added in ARP cache. To add an ARP entry to ARP table use:

arp -s 10.5.1.1 00:1D:46:8C:21:C8 `sleep 200` &

Here, sleep 200 is introduced so that if network connection is performed by network manager after login, then the entry is added after user is actually connected to LAN. If above command is executed before IP is obtained from DHCP then the command would fail. The command would also fail if the IP obtained in not in 10.5.1.0/24 range. Hence it is important that we use 'sleep 200' to make command wait for about 3 minutes before it takes effect. Other option is to have a loop such as:

while true; do
   arp -s 10.5.1.1 00:1D:46:8C:21:C8 
   sleep 60
done &

Note that the entry will get removed after reboot. Hence the above command should be added in file '/etc/rc.d/rc.local' so that entry is automatically added after reboot.


<yambe:breadcrumb>Security tips</yambe:breadcrumb>