Still ARP Spoof question.
hshh
hunreal at gmail.com
Thu Apr 13 11:50:34 UTC 2006
I have some FreeBSD box, include 4.11, 6.0, 6.1-PRERELEASE.
They are in the same network, and all compiled with IPFW2 support.
In that network, there are another server, and not mine. I can't control
them either.
One day, maybe one computer was hacked, and sent my server by fake ARP
packet.
That's ARP Spoof, but it make a fake gateway to attack my server.
dmesg can show this message like:
arp: x.x.x.254 moved from 00:02:b3:52:5d:25 to 02:e0:52:14:37:4a on fxp0
x.x.x.254 is gateway of that network, and 02:e0:52:14:37:4a is MAC of real
gateway.
00:02:b3:52:5d:25 is fake MAC, 00:11:22:33:44:55 was seen too.
I tried to use ``arp -S x.x.x.254 02:e0:52:14:37:4a'', and not work. After
some seconds,
my server can't communication with gateway.
I tried to use ipfw2 to deny these packet, ``deny ip from any to any MAC any
00:02:b3:52:5d:25 layer2'',
not work either. Although I tune ``net.link.ether.ipfw'' from 0 to 1, still
not work.
What can I do? I can't touch the switch, can't touch the gateway either. Any
good idea to help me?
More information about the freebsd-ipfw
mailing list