Thursday, January 20, 2011

How to prevent / detect ARP poison rooting attacks?

Although we have not had any first-hand experience with these kind of attacks (as far as we know of) I would like to know how to prevent them from happening as much as possible. I mostly use my personal laptop myself and also take it to clients when I'm on the road. I have used the XArp on my laptop before to monitor suspicious behaviour on the network but have not encountered any.

  • Is APR at all a security risk to take into account in small business setups?
  • If so, what are the main risks and how can one optimally counter them?
  • When connecting to a foreign network (for example, when on location at at client), should I consider this risk and what could I possibly do to counter it?
  • The likelihood of these types of attacks increases if the information passing through your network is valuable and others know it exists.

    The risks are that information can be stolen. This information could be used to damage your IT infrastructure or damage your company's business if it is trade secrets, client lists, or similar information.

    When connecting to a foreign network, always use encryption. Use VPN connections and https websites. If that data is encrypted, even if the attacker is getting your data, it will be incredibly difficult to use. Remember that programs on computers like to run in the background and pass data such as usernames and passwords.

    I highly suggest getting Wireshark and examining the data that passes through your network connection. Browse some webpages, open some applications, etc. and see if you can see information in the packets that you would not want someone to know such as your password or an internal company website.

    If you really want to know what can be done to counter these type of attacks locally, I'd suggest the book LAN Switch Security: What Hackers Know About Your Switches.

    From Joseph
  • use a VPN or encryption to prevent people from sniffing your traffic in a hostile environment. you can also make a static arp entry in your windows machine if you know the right MAC address of the router with:

    arp -s <gw_ip> <gw_mac>
    

    at my environment i have a software called arpwatch on the firewall to see if someone play tricks on my network.

    you can also consider implementing somekind of NAC(Network Access Control) at your Switches to prevent unauthorized clients on your network.

    From quentin
  • Address Resolution Protocol (ARP), because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment.

    ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP and not another method.

    With Ax3soft Sax2, we can quickly and accurately locate ARP source when ARP spoofing attack happens to the network, so as to ensure normal and reliable network operation. Solution:

    Diagnosis View is the most direct and effective place to locate ARP spoofing attack and should be our first choice. Its interface is displayed as picture1.

    ARP spoofing attack event

                                                          (picture1)
    

    Picture 1 definitely points out that there are two kinds of ARP spoofing attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 will provide reasons of such ARP spoofing attacks and corresponding solutions.

    source:http://www.ids-sax2.com/articles/QuickLocateARPAttackSource.htm

0 comments:

Post a Comment