[MLB-WIRELESS] arp spoofing

Steven Haigh netwiz at crc.id.au
Mon May 15 10:59:37 EST 2006 

On Mon, May 15, 2006 9:19 am, David Ashburner wrote:
> Hi all,
>
> There was an interesting discussion at the meeting last friday about
> ARP spoofing and how it is a threat for wireless Nodes.
> In a nutshell, it would be possible for a man-in-the middle attack to
> make itself appear as the network gateway (access point)  and so
> intercept
> any traffic between a legitimate client and the real gateway. It could
> do this by sending out a lot of unsolicited arp responses and
> "poisioning" the ARP cache on all connected machines.

I found this quite interesting as well... It looks to be a flaw in the way
ethernet works - and there isn't much that you can do to stop it.

> Grant spent some time explaining this to me and also that the people at
> WAND Network Research  Group in Nah Zulund had implemented a solution
> where all ARP requests and responses get quenched from the network and
> the gateway provides the responses from it's DHCP cache.  The software
> dhcparpd is available to download but is set up to use a specific API
> for communicating with the DHCP server.

I don't know how this will fix the issue - as at a network layer, when an
"ARP WHO HAS" it's a broadcast to FF:FF:FF:FF:FF:FF - which is the ARP
broadcast address. This is where the PC with the specific IP replies back
with a "this is me" packet. Now if you spoof this reply - or you fill up
everyones arp cache with junk so it has to get a new address, you can
inject your faked entries.

Now, where this program comes in, and how it is supposed to fix a
broadcast issue is quite strange. Maybe it's because it gets the broadcast
first? It does mention that you should use IPtables to block arp replies
from anywhere but the station running the DHCP server - however if it's a
broadcast, then this would have to run on EVERY machine - otherwise the
broadcast could not easily be blocked....

The only way I can really think of fully stopping this kind of attack are:

1) have a WHOPPING huge ARP cache - thereby allowing faked entries to
expire before the table is full, or
2) statically set all ARP entries for IP addresses (has to be done on all
clients!)
3) Lock switch ports to a set ARP address (may not work for wifi AP model
networks).
4) ??

Always interested in hearing some opinions on this topic :)

> I've looked through the code and can make a relatively easy patch to
> make it work with the dnsmasq software used on the WRTs.  I'll build a
> ipkg with the daemon and iptables rules and we can give it a go.

Cool - will be interesting to see what it does and if it works :)

> dna
>
> WAND page:   http://research.wand.net.nz/software/dhcparpd.php

-- 
Steven Haigh

Email: netwiz at crc.id.au
Web: http://www.crc.id.au
Phone: (03) 9017 0597 - 0412 935 897

More information about the Melbwireless mailing list