How to prevent arpspoof from working

if it's a real concern that there will be people inside your network spoofing mac addresses.

then lock down the ports on your switch to only allow macs on given assigned ports.

if you;re concerned that malicious people will come into your building and plug in a random machine, then deactivate un-used switch ports. (and lock active ports to individual macs.

Another method would be to set a really low threshold for mac flapping. -though you'll have hours of head scratching if you forget about that later.

if you aren't on the same network segment then spoofing macs doesn't really work.

if you don't have a decent managed switch then it's not really possible to prevent.

This is the kind of thing that you can't really investigate at home properly. (or at least not with standard "home" type equipment.
 
Its written in Bash. And no its not a Trojan. I only use it to better understand things. I'm not asking for help with how to make a script to hurt other people, I'm asking how to make something to block this from hurting other people.

Thanks yes sorry I am only
Formula with Microsoft windows scripting languages and assembly programing language
but I am always here to help you learn windows stuff as you show great
Enthusiasm to learn well done to you and your mate for coming up with such a script in another language keep at it but I found most people out there teach microsoft and that is enough to learn :)
Kind Regards
 
Let's start with this for a second to end any fears of security issues to our users:

Preventing ARP-Spoofing is a legitimate network security concern. For most end users it's nothing they need to be concerned about but network admins who have a public-facing network that might have sensitive information transmitted over it (like emails) need to consider this thread for a proper security risk analysis. At any rate, for any ARP-spoofing to occur both the victim and the malicious computer must be connected to the same router so any little script he's written is perfectly safe to the rest of us.

The simple fact that he's written his own script is proof that he's looking to learn. If the intent was to do damage it's a lot quicker to download free linux utilities that do ARP spoofing without you having to code anything.

Lefty:
I did something very similar to this in a network security class I took a year or so ago while I was still in college. I don't remember the specifics but I know you could watch for a large amounts of a particular network packet. I think it was a DHCP IP announcement packet or something similar that flooded the network with a packet that said "I am the real computer with the MAC address of <whatever> so send that traffic to me instead" Eventually, every computer would receive that packet and the router and other local machines would send to you instead of the victim.

I could have the packet type wrong and I could have the MAC/IP part flipped but that's the general idea on how to detect a spoof. From there it's really up to you how you want to kick off, or otherwise block the malicious computer.

First of all, thank you for understanding I am not a malicious coder.

Second, are you saying that to detect someone spoofing the router I would have to determine if the packet was real or fake?

if it's a real concern that there will be people inside your network spoofing mac addresses.

then lock down the ports on your switch to only allow macs on given assigned ports.

if you;re concerned that malicious people will come into your building and plug in a random machine, then deactivate un-used switch ports. (and lock active ports to individual macs.

Another method would be to set a really low threshold for mac flapping. -though you'll have hours of head scratching if you forget about that later.

if you aren't on the same network segment then spoofing macs doesn't really work.

if you don't have a decent managed switch then it's not really possible to prevent.

This is the kind of thing that you can't really investigate at home properly. (or at least not with standard "home" type equipment.

How would one manage to only allow a specific MAC address coming in for the router?
 
Last edited:
Second, are you saying that to detect someone spoofing the router I would have to determine if the packet was real or fake?

Not quite. You only need to detect the flood of the packets coming from one specific computer. According the the OS of the malicious machine, it might think it's a legit packet being sent by the arp-spoofing program so they will be "real" of sorts. It's them flooding the network with these packets that signal that something isn't quite right.
 
Most new higher end routers give you the ability to lock ip address to mac address, so when the attacker tries to flood the network with altered translations the router will not be able to change the ip and mac relationship. this is an old concept which doesn't pose a threat to corporate or government networks because the network will only allow registered workstations. If an unknown MAC is pluged into the network the admin will know its physical location.
 
How would one manage to only allow a specific MAC address coming in for the router?

I didn't say router, I said switch. (routers operate at layer 3 not layer 2)

and to do this you'd hard code an entry into the arp translation table of the switch and make sure it's set to static and not dynamic.

depending on your school/equipment provider the arp translation table may be known as.
Mac Cache,
Arp Cahe,
Cam tables.
Mac Tables
Apr resolution tables
etc.

basically they tie the physical hardware (Mac) address to a hardware port.

e.g. traffic destined for "some-MAC" should leave via interface 2.
your arp spoofing is trying to make the router believe that hardware address "some-MAC" has actually be re-patched to interface 3.

the table keeps track of what device (hardware addressed at layer 2) is plugged into what interface (layer 1).

if your arp cache is dynamic, then Mac spoofing is possible, if it's static then how will you update an arp cache that is set to not be update-able other than by privilege 9 on the switch?



as for detecting a flood of MAC addresses, this is also useful for helping to make sure that some idiot hasn't brought in a hub so that he can plug in a few different machines and his personal laptop into his 1 network port in his office :)
 
Back
Top Bottom