you can define static arps, but I can't think of anything that would be
more difficult to manage. arp spoof attacks are fairly rare in practice
(that I've seen at least -- but they're fairly new as well). The most
important thing you can do is make sure your local networks are safe
from attack and safe from people exploiting root access. Of course,
since it's near impossible to protect yourself 100%, some people are
working on AntiSniff tools (antisniff being one of them) to detect
things like this. I haven't checked up on all their capabilities, but
there was a recent post to BUGTRAQ about them. Search the archives at
www.geek-girl.com.
The only thing I can think of to protect this from happening internally
is to provide a higher level of authentication/encryption on the packets
so that spoofing ARP and listening to packets will become useless
anyway. Hooray IPSEC!
If anyone has more comments that would be great!
David
Jeff Kell wrote:
>
> Recently I came across some advisories on a new (to me) hack tool called
> dsniff (IIRC). The basic operation is as follows:
>
> * enemy spoofs an ARP reply to a target host/client for the victim's
> IP, but supplies it's own MAC address.
> * target stashes this in it's ARP table, subsequent IP packets are
> sent to the enemy's MAC.
> * enemy copies the packet and forwards on to the victim.
>
> It is a bit scary, and gets down to the bit-level of various TCP
> stacks. On paper it sounds rather simple, and I'm trying to devise some
> means of protection against this. Among my concerns about the
> attack:
>
> * do all stacks accept and cache 'unsolicited' ARP replies? Routers?
> Windows? NT? Various unix flavors?
> * will this overwrite any existing ARP entry in the cache?
> * will this overwrite a static ARP entry?
>
> To insure a "sniff-proof" connection between yourself and a host, can
> you define static ARPs on the client, host, and endpoint router(s) if on
> different subnets and protect yourself from such an attack?
>
> Sorry if somewhat off-topic, but it does get to the way ARP works (is it
> stateful - request and wait on reply, or they two events handled
> asynchronously?)
>
> Jeff Kell <[EMAIL PROTECTED]>
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
