ARP Spoofing

[enjoy]

A person in my network is using ethereal/ettercap and mounts ARP spoofing attacks. so all my POP account passwords get known to him. How do I protect my privacy from these attacks. I am using WinXP Pro SP2, Pc-cillin 2005 Antivirus and Personal Firewall.

Is there any tool which can alert when such attacks are mounted or protect me from them.

[GNUrag]

If the person has access to your network's gateway then there's a lot he can do by just analysing the tcpdump. He has not compromised your computer but the gateway instead... so you can't do much unless you have access to gateway.

The only good option you have is to use POPs (Secure POP) for fetching email.

[enjoy]

No he doesn't has access to gateway... And what is Secure POP ???

Dows MyRealBox.com, SpyMac.com supports it

[GNUrag]

Secore POP works over TLS and/or SSL links. Secure POP daemons generally listen on the standard port 995.

MyRealBox/SpyMac dont support POPs .. But Gmail's POP3 daemon works only over secure connection.

[siriusb]

One sure thing to stop it will be to complain this to the admin of your network. First of all he will ban the perpetrator and second he might install security tools against such attacks.

[enjoy]

I dont want Netwwork Admins to interrupt in this process... Its a healthy competition and I simple want to secure myself.

SO I was looking for a utility which doesnt allows my Gateway address to be changed.. and if it gets changed, it should halt all traffic or send unlimited junk traffic to that spoofer..

[digen]

Dude the network administrator has got be informed about such happenings.And oh healthy competition?
Dude not only is your company/personal data at risk,others maybe a victim of such a attack too.

I second GNU's answer,using email through SSL or tunneling traffic through a secure channel.But all this would need the help of your network administrator.
And may I know how you find out the arp attack taking place?
For the least you know he may have full control over routes & the default gateway.

[tuXian]

yes even I would like to know that digen how he knows its Adress Res. Proto attack.

[vswizard]

The ARP spoofing attack is highly effective because it takes advantage of an inherent weakness in the design of a core network protocol.

The best approach is to monitors the ARP/IP pair combinations for machines on a given LAN. Some software can be configured to notify network or security administrators if any suspicious changes occur on the network, such as a broadcast ARP packet advertising a new MAC address for the LAN’s gateway.

I have the orginal ethernet address of the Gateway to my lan. And if i suspect any suspicious activity all i have to do is to verify the MAC address using " arp -a " .

[mediator]

Hey why dont u ping flood that spy and beat him in his own game! Use ur evil genius! This is the ripe time so go on!

[vswizard]

A question.. if we add Static ARP entry using

Arp -s ..

will it be changed if i m under ARP Spoofing attack ??

[enjoy]

Will a static entry be helpful ???

[enjoy]

Quote:

Originally Posted by vswizard

The ARP spoofing attack is highly effective because it takes advantage of an inherent weakness in the design of a core network protocol.

The best approach is to monitors the ARP/IP pair combinations for machines on a given LAN. Some software can be configured to notify network or security administrators if any suspicious changes occur on the network, such as a broadcast ARP packet advertising a new MAC address for the LAN’s gateway.

I have the orginal ethernet address of the Gateway to my lan. And if i suspect any suspicious activity all i have to do is to verify the MAC address using " arp -a " .

Could you please name a software...

Thanx.

[vswizard]

Sawan

1) Static Entry was a question to every1 in the forum and not an anwer.. i m not just getting time to try it out.. if i do.. i will update here

2) Software.. well.. i m not so sure.. but there is a firewall called 8signs .

They had this on their website

Quote:

Address/Port/MAC Groups
Simplify your ruleset and tighten security by using the port, IP and MAC address groups when creating rules in 8Signs Firewall. Using groups, you can create one rule that can apply to multiple ports, IP addresses or MAC addresses.

http://www.8signs.com/firewall/features.cfm