SUSE Conversations


Detecting ARP Poisoning Attacks



By: DamianMyerscough

June 13, 2008 2:00 am

Reads:463

Comments:0

Rating:0

Detecting ARP Poisoning

In this small article we are going to look at how to detect ARP poisoning attacks. The utility that we will be working with is ‘arpwatch’. The ‘arpwatch’ utility monitors network activities and constructs a database of IP addresses and their associated MAC address any suspicious changes that occur on the network i.e. MAC addresses change an email will be generated and emailed to the system administrator.

Installation

The installation of the ‘arpwatch’ utilities is very simple as this utility has already been packaged for SUSE Linux Enterprise Server. The ‘arpwatch’ utility can be installed using the YaST utility, you will need to search for the keyword ‘arpwatch’. The YaST utility can be started via using two different commands the first command is yast sw_single which will load with a curses based interface and the second command is yast2 sw_single which starts a GUI.

Configuration

In this section we will look at configuring the ‘arpwatch’ utility. The first task that you will need to do is create an empty file with the touch command within the /var/lib/arpwatch directory. The empty file that you create will be used to store the IP addresses and MAC address of stations connected to your network. Figure 2.1 shows the command used to create an empty file.

linux-y2v4:~ # touch /var/lib/arpwatch/arp.dat
linux-y2v4:~ # ls -l /var/lib/arpwatch/arp.dat
-rw-r--r-- 1 root root 0 2008-06-09 12:50 /var/lib/arpwatch/arp.dat

Figure 2.1: Creating a empty file for ‘arpwatch’.

Once you have created the empty file you can start the ‘arpwatch’ utility. The command used to start ‘arpwatch’ is arpwatch. Table 1 lists some of the qualifiers that are supported by the ‘arpwatch’ utility. Figure 2.2 shows the command used to run the ‘arpwatch’ utility.

Qualifier Description
-i This flag is used to override the default interface.
-f This flag is used to set the MAC/IP address database filename.
-n This flag specifies additional local networks. This can be useful to avoid “bogon” warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network’s class is used.
-N This flag disables reporting bogus.

Table 1: ‘arpwatch’ supported qualifiers.

linux-y2v4:~ # arpwatch -i eth0

Figure 2.2: Starting the ‘arpwatch’ utility.

Once you have started the ‘arpwatch’ utility you will notice that the root user will be emailed about workstations that are connected to the network as shown in Figure 2.3.

linux-y2v4:~ # mail
mailx version nail 11.25 7/29/05.  Type ? for help.
"/var/mail/root": 3 messages 3 new
>N  1 arpwatch@linux-y2v Mon Jun  9 12:19   18/651   new station
 N  2 arpwatch@linux-y2v Mon Jun  9 13:13   18/638   new station
 N  3 arpwatch@linux-y2v Mon Jun  9 13:13   18/675   new station (example.net)

Figure 2.3: ‘arpwatch’ repostings.

Once the ‘arpwatch’ utility has started you may notice that the ‘arp.dat‘ file located in the /var/lib/arpwatch directory contains IP addresses and MAC addresses as shown in Figure 2.4.

linux-y2v4:/var/lib/arpwatch # cat arp.dat
0:19:99:26:be:ae		192.168.2.152   1213013896
0:0:5a:9c:d1:73		192.168.2.1     1213013958      example.net
0:e0:81:71:94:f8		192.168.2.137   1213013852

Figure 2.4: ‘arp.dat’ file entries.

Detection

In this section of the article we will look at spoofing one of our workstations MAC address which should trigger the ‘arpwatch’ utility to email the root user.

We will now move to another machine on the network and change the machines MAC address, you will require root privileges to change the MAC address. Before changing the MAC address you will want to see what the original MAC address is you can do this by issuing the ifconfig command as shown in Figure 3.1. Figure 3.2 shows the command used to change the MAC address.

linux-y2v4:~ # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:30:05:47:9A:7A  
          inet addr:192.168.2.141  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::230:5ff:fe47:9a7b/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:589 errors:0 dropped:0 overruns:0 frame:0
          TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:46023 (44.9 Kb)  TX bytes:19197 (18.7 Kb)
          Interrupt:169

Figure 3.1: Checking the original MAC address.

linux-y2v4:/var/lib/arpwatch # ifconfig eth0 hw ether 00:30:05:47:9A:7B

Figure 3.2: Changing the MAC address.

Once you have changed the MAC address from its original address you should receive an emailed by the ‘arpwatch’ utility informing you that someones MAC address has been changed as shown in Figure 3.3.

            hostname: 
          ip address: 192.168.2.141
         mac address: 0:30:5:47:9a:7b
          mac vendor: Fujitsu Siemens Computers
     old mac address: 0:30:5:47:9a:7a
      old mac vendor: Fujitsu Siemens Computers
           timestamp: Monday, June 9, 2008 13:46:27 +0100
  previous timestamp: Monday, June 9, 2008 13:45:34 +0100
               delta: 53 seconds

Figure 3.3: MAC address changed alert.

Final Thoughts

In this small article we covered how to detect ARP poisoning attacks using the ‘arpwatch’ utility. There are a wide variety of ways to help mitigate ARP poisoning and some of these include installing and configuring IDS (Intrusion Detect Systems) and subnetting your network. I strongly recommend that you look into subnetting and how to configure IDS to defend against ARP poisoning.

Problems

If you encounter any problems you can send a TERM signal to the ‘arpwatch’ utility and then reissue the arpwatch command shown in Figure 2.2.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS