Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

ARP Detection and Prevention


ghost's Avatar
0 0

Hmm, I am currently looking at network security on big LANs. One problem that I am facing is ARP poisoning.

With tools like Wireshark, could you filter out the ARP replay packets? Is a normal user ment to send ARP replay packets? And are ARP replay packets possible to sniff from the network?

Are there some IDS or something that I can use to see if any ARP poisoning is happening on my network?

If I am controlling the gateway to the internet, are there any applications I can use there as well?


ghost's Avatar
0 0

I think it was mentioned in the previous thread about ARP poisoning, the best protection against it (other than getting S-ARP hardware) is to use a semi-static arp table system, where the server has a static table of macs on the system. This has its drawbacks, but its the best solution for a wired lan.


ghost's Avatar
0 0

Any examples on scripts or anything already made that I can use? Anything thats recommended by you?

If not, I will google, so dont ask me to.


ghost's Avatar
0 0

Syntaxe wrote: stuff

Traditional ARP poisoning is different from ARP replay attacks. ARP poisoning would be providing intentionally incorrect information in a user's ARP tables, while ARP replay attacks simply retransmit the same legitimate (usually encrypted) packet in order to generate IVs to break the encryption.

For ARP replay attack just use WPA2 with a strong key and key rotation and let the user waste his time. If the replays begin saturating the AP then you can use several mobile devices to triangulate the source of the replays by using signal strengths.

For ARP poisoning there are several things that can be done.. which depend on the setup of the LAN. For an unencrypted/unauthenticated wifi there is not much you can do.. unless you use sARP or something. For encrypted/authenticated wifi you just need to make sure that your setup is secure enough to not let arbitrary machines easily spoof ARP replies (this can pretty much be guaranteed - as far as we know now - with the most up-to-date encryption and strong encryption keys.)

For a wired LAN you have several options. One quick fix being that you make the ARP tables static. Another being that you make a simple script to continuously query the ARP table for the switch/gateway remotely. (Many of them provide some sort of CLI access).. and then you can detect changes to the ARP table and decide what to do when changes occur. Keeping logs of the queries would also - depending on the setup - let you figure out who tried to hack who .. as they could also list which physical port the changes are associated with.

If you have a non-jailed switch or switches which let your write you own software to run on them.. then you have many more options.. (I don't know of any.. non-jailed switches.. I assume they exist)

Wireshark has display filters which let you view certain types of packets.. you could always add your own display filter if need be (I don't know if Wireshark has a mechanism to easily do this that will suit your scenario). It doesn't act as a firewall.

edit: typo