ARP Poisoning

Protecting your Linux box
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

ARP Poisoning

Post by mudasir »

I have been facing a problem from almost 15 days. Let me explain you what i have been facing.

My server has IP Address 10.10.10.1 (Server acting as Squid Proxy).

Now from any client when i execute this command (arp -a 10.10.10.1)

I am not getting Server's MAC Address, whenever i execute this command i get different MAC Address. I am not getting SAME Address everytime, getting differect MAC Address eveytime.

Now due to this ARP Poisoning Cleint is Breaking PING to Server and Internet stops Working.

Can you please tell me some Solutions.

I also made a script to get all the MAC Address Againt my Server's IP. I got more than 350 MAC Addresses.

How can i solve this Problem.

I searched Google regarding ARP Poisoning i found following link.

http://packetstormsecurity.org/UNIX/utilities/

on the above stated link i found this script

http://packetstormsecurity.org/UNIX/utilities/aapd.c

I dont know what i does but the description say
OpenAAPD (0.1-beta) is an Anti Arp Poisoning Daemon for OpenBSD operating system which works with or without DHCP protocol support on the LAN networks without compromising the ARP protocol performances.
Please help me out in this problem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Can anyone tell me some solutions to my problem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Hi,

Still looking for some solutions :cry:

DHCP Server is giving IP's. Only allowed MAC Addresses are given Class A IP Address, and MAC's which are not allowed are given a Class C IP Address.

Each MAC has its own Fixed IP Address....

Squid is being used Proxy Server, IPTABLES are being used as Firewall...TC being used to shape bandwidht on Per IP Address...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
sameer666
Naik
Posts: 82
Joined: Tue Nov 06, 2007 5:31 am

Post by sameer666 »

use static mac, if ur server mac keeps changing

regards
Novice at heart
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Post by abakali »

here is a simple solution for this

make a script from your mac.addresses list collect your clients mac and ip and use static arp on your server machine e.g
10.10.10.1 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.2 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.3 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.4 xx.xx.xx.xx.xx.xx -i ethx
10.10.10.5 xx.xx.xx.xx.xx.xx -i ethx

keep in mind when ever you restart your interface this rules are flush . then go to your client side and make a batch file and put your static entry for server ip and mac
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Asif Bakali,

I have already made a script that Statically Enters Users IP and MAC in Server's ARP Cache Table.
The script is at
http://linuxpakistan.net/forum2x/viewto ... 7129f630dc

And have also created a EXE file that does the static IP and MAC Entry on user side. But this is something that i am not looking for.

Can you please tell me some other solutions that i can go on with.

Looking forward for your reply.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
ashariqbal
Havaldaar
Posts: 105
Joined: Mon Jun 24, 2002 10:01 am
Location: Karachi

Post by ashariqbal »

To find out who is messing with the arp, you need to do basic network trouble shooting. Start unplugging wires and when your problem stops you know who it is.

The person is probably using something like ettercap to sniff your network traffic.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear ashariqbal,

I have even tried doing this. Basically i have divided my users in Segments, and problem is coming from almost every segment. So i dont think that some user is intentionally doing this, must be some sort of adware, malware or might be a virus.

I also googled about viruses which ACT as i have stated in my post, found few, but they are detected by almost all anti-viruses.

I have also installed AntiARP which tells me which IP is trying to spoof, so by this i know that it is not just one user, many users IP's are trying to spoof, and are from all segments.

So, that is also not helping me out.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Post by abakali »

Dear mudasir

this is a part of Layer 2 attacks to prevents this issue to manage via L2 manage switches i have tested on Cisco they are build in feature arp inspection they block this types of attack. but their is a scenario are different you are deploy this on your cable net and this solution is to expensive
i suggest you to implement any pppoe or vpn in your network
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
ranatanveer
Subedar
Posts: 355
Joined: Sat May 07, 2005 11:54 am
Location: Lahore
Contact:

Post by ranatanveer »

Event Viewer can tell that which machine is culprit, i face this problem three times at my different networks, i think it is a spyware in any host, i found that machine through event viewer and unpluge it and re-install it and problem resolved.
Regards

Rana Tanveer
+923224194457
Linux Student

For Affordable Web Development http://www.affordableprogrammers.com
http://www.qualityprogrammers.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

I really appreciate that you all have provided your ideas.

Basically i have implemented almost all the things, except for the L2 switches, because that is very expensive...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,


I found something on INTERNET, and as i read about it i thought it might be the solution for the problem that i am facing. I thought it might be good to share this with LP Forum Members.

http://www.ltn.lv/~guntis/smarp/

It is basically SmartARP.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
azfar
Captain
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
Location: Karachi
Contact:

Post by azfar »

this problem exist in almost all cabble network these days, do you find any server side solution for both windows/unix.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Azfar,

I have not found any Server side Solution, i will Implement this SmartARP and will let you know, wheather this works out or not.

If you find any do let me know.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
AcidEYE
Havaldaar
Posts: 115
Joined: Mon Feb 28, 2005 5:41 pm
Location: Lahore (Pakistan)
Contact:

Post by AcidEYE »

As Salam U Alikum,

i'm facing this problem from last 2 months and still couldnt resolve that problem, i've bought 3com 3300 switch 12 ports. this switch is also can't stop ARP Poisoning, mac address cloning is still there, and reply from server is breaking, in the end result is internet not working, this is some kind of virus, malware, torjan which is spoiling lan traffic.

please someone tell me a best solution hardware wise or software wise.

waiting for reply.

thanks & regards.
Linux Addicted
Post Reply