Avoid arp poisoning in your LAN

In Linux, rudimentary but effective:

Here you are some quick measures to make arp spoofing in a shared LAN a little bit more difficult. Note, however, that these measures will not protect you from firesheep (cookie-based mechanism to steal non-https sites' credentials).

1. Avoid that the arp protocol constantly asks for the mac address of your router. Add the following line to the /etc/rc.local file:
# arp -s ipaddressofyourrouter  macaddressofyourrouter
This way, this entry will be permanently stored into the ARP cache.

2. Create an alert with arpwatch using e.g. the following line:
# arpwatch -d -i yourinterface
The arp database will reside in /var/lib/arpwatch/arp/dat

3. A way to check that there are less arp probes in the net then will be
# tcpdump -i yourinterface -n -v arp

If you change your router, remember to change your rc.local file accordingly.

In Windows, a nice tool is the one from irongeek called decaffeinatid.

This is not bulletproof but it saves you from the typical arp poisoning attack. If any reader would like to add any additional idea to this topic, please comment.

Happy browsing in a shared network ;-)!

Avoid ARP poisoning

Note to a comment: Arpon is a useful tool for this purpose. Besides, Arpon 2.7 was just release last July. Be aware that, according to Arpon site "it requires a deamon in every host of the connection".

1 comments:

mgesteiro said...

I would also mention ARPON (http://arpon.sourceforge.net/) for this kind of detection/prevention