Defend Against ARP Spoofing

by Mike on June 10, 2009

in Server Security

arpwatch is a program that will help you watch changing IP Addresses and MAC Addresses on your network.  It will list the list the information with a timestamp so you can carefully watch the activity.

Use arpwatch to Prevent ARP Spoofing
ARP Spoofing or Address Resolution Protocol Spoofing is used to create a situation on a network where the attacker is able to sniff data frames and/or modify the data by sending spoofed ARP messages on a network.  The attacker will associate their MAC address with the IP Address of a different computer on the network.  By employing arpwatch in the background it is constantly monitoring your network for IP/MAC changes.  You will have a log you can view at /var/lib/arpwatch and you can also have arpwatch send you an email to warn you  when changes occur.

When you want to see arpwatch in action use the “-d” option which is the debugging option and does not allow it to fork into the background or send an email message of activity it just sends output to the stderr so you can view on a terminal.

Edit /etc/arpwatch.conf

eth0 -a -n 192.168.1.0/24 -m your_email@your_address.com

Start
/etc/init.d/arpwatch start
# /etc/init.d/arpwatch restart
Starting Ethernet/FDDI station monitor daemon: (creating /var/lib/arpwatch/eth0.dat) (chown arpwatch /var/lib/arpwatch/eth0.dat) arpwatch-eth0.

Check to See it is running

# ps -ef | grep aprwatch
root      4013  3998  0 03:20 pts/1    00:00:00 grep aprwatch

Logs

Jun  9 02:58:58 m67 arpwatch: listening on eth0
Jun  9 02:58:58 m67 kernel: [  935.587402] device eth0 entered promiscuous mode

arpwatch Logs

ls /var/lib/arpwatch/
arp.dat  arp.dat-  eth0.dat  eth0.dat-
# cat /var/lib/arpwatch/arp.dat
0:1b:fc:68:68:33    192.168.1.100    1244559595
0:14:bf:7f:59:b0    192.168.1.222    1244559595
0:1:e6:b1:5c:1d    192.168.1.11    1244538519
0:1b:fc:90:e6:ac    192.168.1.8    1244558719
0:11:95:69:2e:f8    192.168.1.101    1244557051

# cat /var/lib/arpwatch/eth0.dat
0:1b:fc:68:68:33    192.168.1.100    1244545832    m67    eth0
0:14:bf:7f:59:b0    192.168.1.222    1244545832        eth0
0:1b:fc:90:e6:ac    192.168.1.8    1244545954    ub3    eth0

Options
-d    debug
-f    set file name for database
-i    override the default network interface
-n    local networks only
-N     disable reporting bogons,
-r    specify a saved file to read from
-m     email address where info will be sent


Previous post:

Next post: