On Sat, Nov 28, 2009 at 06:51:52PM +0700, Utian Ayuba wrote: > Arief Yudhawarman wrote: > >Bukan semua tetangga yang dia tahu melainkan ke semuanya tanpa kecuali. > >Ya, dia tidak akan catat arp-request atau tidak melayani arp-request. > >Sehingga jalan satu-satunya agar bisa komunikasi mac addr & ip guest > >harus dicatat. > > > > pak arif, sori yah tapi serius saya tertarik topik ini dan ingin > bertukar pikiran sesuai pemahaman saya. > > setau saya arp itu layer 3 karena sudah kenal ip address dan iptables > itu sampai layer 4 karena sudah bisa mendefinisikan nomor port.
Nanti saya cek lagi ke source resmi, saya juga masih belum yakin apa layer 3 atau 2. > > balik ke definisi reply-only, > kskss, arp itu kan protokol untuk mencari mac address dari suatu alamat > ip remote yang diketahui. maping ip dan mac remote host ini harus ada > untuk bisa suatu host mengirim paket ke host remote dan maping nya di > simpan di tabel arp host lokal. host yang mencari tau mac-address host > remote akan mengirimkan paket arp-request (broadcast) dan host remote > yang dimaksud akan membalas dengan mengirim paket arp-reply (unicast) > setelah mendapat paket broadcast arp-request. host lokal yang mengirim > arp-request akan memaping mac dan ip di tabel arp setelah host tersebut > menerima arp-reply dari host remote. > > nah pertanyaan saya, saat interface host diset reply-only, apakah > maksudnya host tersebut hanya akan membalas arp-request dari host lain > (hanya bisa mengirimkan arp-reply) tanpa mampu berinisiatif mengirimkan > paket broadcast arp-request? Ya. > atau dengan pertanyaan lain, saat host diset reply-only apakah host > tersebut hanya akan menerima arp-reply atau akan hanya mengirimkan > arp-reply? Hanya mengirimkan arp-reply. Dengan kata lain seakan-akan apr-request dari host didrop oleh host itu sendiri (dengan seting arp reply-only). > >>saya belum nyoba sih, tapi dugaan saya kalo arp di ifconfig di disable > >>terus kita maping statik tabel arp memang akan seperti di atas bukan? > >> > > > >Bisa asal di neighbours mac & ip host dicatat pula :) > > > > di tetangga saya kira tidak perlu diset statik mapingnya. karena > tetangga akan otomatis isi tabel arp-nya setelah dapat paket arp-reply > dari host lokal (jika reply-only = host hanya kirim arp-reply :)) Memang benar begitu :) > > >BTW, saya sudah caranya pakai arptables untuk drop arp request. > >Bisa baca2 di sini: > > http://abulmagd.blogspot.com/2008/08/arptables-and-arp-poisoningnetcut.html > > > > wah saya kok nggak bisa akses ke link di atas ya? Saya paste-kan di sini wong ukurannya kecil kok: ---------- awal kutipan --------------- Link: canonical IFrame skip to main | skip to sidebar Binary Brainjuice Knowledge should be free Friday, August 1, 2008 arptables, and ARP poisoning(Netcut, Switchspoofer, ..) Netcut , WinARPspoofer, Switchsniffer,WinARPattacker , and other ARP poisoners are becoming popular now with the growing number of the free wifi hotspots and shared broadband connections, and are being used either for taking advatage of the whole network internet speed , or sniffing sensitive informations, emails, chat conversations, .. etc i tried many ways to stop attacks on my linux like what mentioned here but i failed to stop the attacks after several trials and forensics, I found that arptables is the solution i installed arptables package $sudo apt-get install arptables the i have added these lines to my firewall script provided that "192.168.1.1" is the gateway IP and "00:1D:0F:A9:F0:45" is the mac address of the gateway #arptables -P INPUT DROP #arptables -P OUTPUT DROP #arptables -A INPUT -s 192.168.1.1 --source-mac 00:1D:0F:A9:F0:45 -j ACCEPT #arptables -A OUTPUT -d 192.168.1.1 --destination-mac 00:1D:0F:A9:F0:45 -j ACCEPT #arp -s 192.168.1.1 00:1D:0F:A9:F0:45 First line to set the policy of INPUT chain to DROP. Second line to set the policy of OUTPUT chain to DROP. Third line to only ACCEPT connections from trusted gateway. Forth line to send replies only to the trusted hosts. Fifth line to add static entry into the ARP table to link your trusted host to its own MAC. What i liked in this this solution that your box will only be visible to the trusted hosts in your network, even when the attacker try to scan the network by anykind of software. A good combination between arptables and iptables makes you safe in untrusted switched networks. Posted by abulmagd at 6:40 PM [IMG] Labels: ARP, arptables, firewall, Linux, mim, networking, sniffer, spoofer, ubuntu 5 comments: Anonymous said... Try this on Windows http://sync-io.net/Sec/anti-arpspoof.aspx Let me know if you want the code. -chris August 24, 2008 3:35 AM [IMG] [IMG] MMF said... Nice Post March 27, 2009 2:06 AM [IMG] Anonymous said... should I type all of those lines everytime I restart my machine? July 24, 2009 10:24 AM [IMG] [IMG] abulmagd said... you can append these commands at the end of /etc/rc.local July 24, 2009 11:04 AM [IMG] Anonymous said... hello, Thank you for yhe guide here, but why I still can't get my connection even after I've followed your guide? this is what happen when I run arp-scan: http://i905.photobucket.com/albums/ac253/ghemoex/arp.png It seems I can't get the true mac address of my router, and when I tried looking up the mac address using the arp command, everything seems normal : http://i905.photobucket.com/albums/ac253/ghemoex/arp.png July 26, 2009 8:45 AM [IMG] ---------- akhir kutipan --------------- Ngomong2, ada RR yang tahu gimana ambil dokumen/url web langsung dari mutt ? Ini saya buka dulu url-nya di elinks terus disimpan sbg formatted document lantas di-read oleh mutt. -- Terimakasih sebelumnya. Salam, ~~ Arief Yudhawarman ~~ -- FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id Arsip dan info milis selengkapnya di http://linux.or.id/milis