[MLB-WIRELESS] arp spoofing

Fenn Bailey fenn_b at smktech.com.au
Mon May 15 16:32:11 EST 2006


Hey All,
> 
> Always interested in hearing some opinions on this topic :)
> 

I haven't had a good look at dhcparpd yet, but here's my quick thoughts on
the subject:

This problem is somewhat dependant on the specific setup. With a BSS/AP type
setup, all frames (and therefore, packets) traverse the AP - they don't go
direct client to client.

In this specific scenario, the concept of a man-in-the-middle attack is
relative - Even a client attempting to be "in the middle" by spamming out
ARP responses and poisoning the arp cache would actually still be on the
border of the star-topology (with the AP being in the true middle).

This is where my knowledge of the Layer2 implementation of wireless APs
falls down a bit - If it were operating as a bridge of sorts that is
controllable by software, you'd be able to see/stop packets at an ethernet
frame level using something like ebtables.

However, I'm not sure how visible Layer2 is from say linux on a WRT - It's
far more likely that the store/forward is done as it would be on a switch in
hardware, which is a level below what you can do much with in software.

It's possible that with something like the HostAP driver or some low level
radio drivers, some of this stuff could be written in so that all layer2
frame passing is manipulatable in software, which would allow true blocking
of arp poisoning.

This sort of thing is definitely possible with enough control of the radio,
has some integrated hotspots (such as the ones manufactured by Handlink) do
a "zero config" mode which completely abstracts out layer2 and layer3 and
completely ignores all layer3 settings (so IP/etc become irrelevant),
deliving packets (or frames) mangled appropriately to the appropriate mac
address over the radio segment based on authentication.

This sort of stuff is (relatively) simple in theory, but difficult to
implement without sufficient access (and skills) to manipulate stuff at a
radio/link level.

Fun stuff!

	Fenn.






More information about the Melbwireless mailing list