Defending ARP Spoofing

TheMSsForum.com: The Microsoft Software Forum

Hi all,

I want to build up a resource containing all possibilities to defend ARP
spoofing. As I think ARP spoofing is one of the most powerful, easiest
and underestimated attacks I want to know all your tricks, patches,
anything that you know/apply to defend ARP spoofing.

I know the standard things to do (like static ARP entries and so on),
what I want to know from you is something like:

-OS x has a patch y which helps preventing ARP spoofing (like antidote)
or
-OS x in version y has a small built in ARP prevention (like SunOS)
or
-Firewall/IDS x is able to prevent/detect ARP spoofing

Also welcome are new thoughts about ARP spoofing prevention (like S-ARP
or Secure Link Layer).

Give me all your information, tricks and tips, so I can build up a
complete resource.

Thanks a lot,
Chris
Top

Re: Defending ARP Spoofing by Juergen

Juergen
Sun Nov 06 16:39:45 CST 2005

["Followup-To:" header set to comp.security.misc.]

Multi-Language Hierarchy crossposting. Please feel free to fup in the
language and hierarchy you prefer.

Chris <chrismc911@hotmail.com>:
> I want to build up a resource containing all possibilities to defend ARP
> spoofing. As I think ARP spoofing is one of the most powerful, easiest
> and underestimated attacks I want to know all your tricks, patches,
> anything that you know/apply to defend ARP spoofing.

The very best defense against ARP spoofing is to make sure your
network design and security concept does not rely on MAC addresses for
any of the following: Authentication, Authorisation, Identification.

> I know the standard things to do (like static ARP entries and so on),

Apparently not. The standard thing to do is to make your
network design (and security concept) immune to this kind of threat.

> what I want to know from you is something like:
>
> -OS x has a patch y which helps preventing ARP spoofing (like antidote)
> or

What makes you think the bad guy would install such a patch? How would
you enforce installation? How can you enforce that only stations with
such a patch participate in your network?

> -OS x in version y has a small built in ARP prevention (like SunOS)
> or

What are your talking about?

> -Firewall/IDS x is able to prevent/detect ARP spoofing

Unlikely if the spoofing entity has any brains at all. (i.e. you can
only catch complete dorks this way ;)

> Also welcome are new thoughts about ARP spoofing prevention (like S-ARP
> or Secure Link Layer).

Simply seperate your Authentication and Authorisation from Ethernet
layer parameters. This has been the way to make yourself immune against
ARP spoofing attacks for decades now. IPSEC is one of the many
technical solutions to accomplish this goal.

> Give me all your information, tricks and tips, so I can build up a
> complete resource.

Give me all your money, bonds and deeds, so I can provide you with a
complete response ;-)

Juergen
--
Juergen P. Meier - "This World is about to be Destroyed!"
end
If you think technology can solve your problems you don't understand
technology and you don't understand your problems. (Bruce Schneier)
Top

Re: Defending ARP Spoofing by Karl

Karl
Mon Nov 07 18:45:25 CST 2005


"Chris" <chrismc911@hotmail.com> wrote in message
news:dklo1p$o1f$1@news2.rz.uni-karlsruhe.de...
> Hi all,
>
> I want to build up a resource containing all possibilities to defend ARP
> spoofing. As I think ARP spoofing is one of the most powerful, easiest
> and underestimated attacks I want to know all your tricks, patches,
> anything that you know/apply to defend ARP spoofing.
>
> I know the standard things to do (like static ARP entries and so on),
> what I want to know from you is something like:

Here are some:

Use IPSec / VPN to verify client identities;
Use any solution that includes client certificates, such as SSL;
Use "port security" on switches to control which MAC addresses can access
that switch port;
Use physical security and personnel security to ensure that people on your
internal network are relatively trusted;
Train users to recognize and report the possible symptoms of ARP spoofing
[this is rarely done in real life]; and/or,
Harden all your hosts as best you can against compromise using the usual
methods;
Accept ARP spoofing as a theoretical risk.

I do not believe ARP spoofing happens all that frequently in real life.
Generally, someone doing ARP spoofing has physical or remote access to a
host on your internal network. Someone that is in the position to do ARP
spoofing is usually in the position to do whatever they want to you given
enough time.

Before wasting a lot of time and money trying to defend against ARP
spoofing, be sure you've done enough to get rid of the more commonly
exploited vulnerabilities on your systems first. I don't know too many
people that can say they are in that position.

> -OS x has a patch y which helps preventing ARP spoofing (like antidote)
> or
> -OS x in version y has a small built in ARP prevention (like SunOS)
> or
> -Firewall/IDS x is able to prevent/detect ARP spoofing

None of these really exist as far as I know.


Top