Still ARP Spoof question.
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Sat Apr 15 12:46:44 UTC 2006
Hello!
On Sat, 15 Apr 2006, hshh wrote:
> So, is it no way to defend arp spoof attack by FreeBSD?
It has always worked for me to simply set up static ARP entries using
arp -S hostname ether_addr
At least, under RELENG_4 this prevents IP <=> MAC pair from being overwritten.
I believe that it isn't broken in newer branches. So ipfw isn't needed to
solve this particular task.
However, you should'n forget that your FreeBSD host doesn't control
ARP tables in other computers and switches on your LAN. So this static ARP
can only guarantee that _your_ computer will always send IP packets to
the hardware with proper MAC. It's not sufficient to guard against ARP
spoofing just on one communication endpoint. Suppose you have the following
LAN:
+--------+
COMP1-----I Switch I-----COMP2
I I-----COMP3
+--------+
Your computer is COMP1, you've set static ARP entry for COMP2 in it's ARP
table. However, COMP2 still asks your (COMP1) MAC address. If malicious
COMP3 will send ARP reply with the self MAC address, COMP2 will send packets
for COMP1 to COMP3's MAC. Switch also has it's own MAC forwarding table, and
it can also be spoofed by COMP3's ARP replies (if switch isn't intelligent
enough to drop such a replies like 3COM Superstacks with port security
feature). You task can't be solved by just COMP1 whatever OS it's running.
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-ipfw
mailing list