Detecting ARP Poisoning
In this small article we are going to look at how to detect ARP poisoning attacks. The utility that we will be working with is 'arpwatch'. The 'arpwatch' utility monitors network activities and constructs a database of IP addresses and their associated MAC address any suspicious changes that occur on the network i.e. MAC addresses change an email will be generated and emailed to the system administrator.
The installation of the 'arpwatch' utilities is very simple as this utility has already been packaged for SUSE Linux Enterprise Server. The 'arpwatch' utility can be installed using the YaST utility, you will need to search for the keyword 'arpwatch'. The YaST utility can be started via using two different commands the first command is yast sw_single which will load with a curses based interface and the second command is yast2 sw_single which starts a GUI.
In this section we will look at configuring the 'arpwatch' utility. The first task that you will need to do is create an empty file with the touch command within the /var/lib/arpwatch directory. The empty file that you create will be used to store the IP addresses and MAC address of stations connected to your network. Figure 2.1 shows the command used to create an empty file.
linux-y2v4:~ # touch /var/lib/arpwatch/arp.dat
linux-y2v4:~ # ls -l /var/lib/arpwatch/arp.dat
-rw-r--r-- 1 root root 0 2008-06-09 12:50 /var/lib/arpwatch/arp.dat
Figure 2.1: Creating a empty file for 'arpwatch'.
Once you have created the empty file you can start the 'arpwatch' utility. The command used to start 'arpwatch' is arpwatch. Table 1 lists some of the qualifiers that are supported by the 'arpwatch' utility. Figure 2.2 shows the command used to run the 'arpwatch' utility.
||This flag is used to override the default interface.
||This flag is used to set the MAC/IP address database filename.
||This flag specifies additional local networks. This can be useful to avoid "bogon" warnings when there is more than one network running on the same wire. If the optional width is not specified, the default netmask for the network's class is used.
||This flag disables reporting bogus.
Table 1: 'arpwatch' supported qualifiers.
linux-y2v4:~ # arpwatch -i eth0
Figure 2.2: Starting the 'arpwatch' utility.
Once you have started the 'arpwatch' utility you will notice that the root user will be emailed about workstations that are connected to the network as shown in Figure 2.3.
linux-y2v4:~ # mail
mailx version nail 11.25 7/29/05. Type ? for help.
"/var/mail/root": 3 messages 3 new
>N 1 arpwatch@linux-y2v Mon Jun 9 12:19 18/651 new station
N 2 arpwatch@linux-y2v Mon Jun 9 13:13 18/638 new station
N 3 arpwatch@linux-y2v Mon Jun 9 13:13 18/675 new station (example.net)
Figure 2.3: 'arpwatch' repostings.
Once the 'arpwatch' utility has started you may notice that the 'arp.dat' file located in the /var/lib/arpwatch directory contains IP addresses and MAC addresses as shown in Figure 2.4.
linux-y2v4:/var/lib/arpwatch # cat arp.dat
0:19:99:26:be:ae 192.168.2.152 1213013896
0:0:5a:9c:d1:73 192.168.2.1 1213013958 example.net
0:e0:81:71:94:f8 192.168.2.137 1213013852
Figure 2.4: 'arp.dat' file entries.
In this section of the article we will look at spoofing one of our workstations MAC address which should trigger the 'arpwatch' utility to email the root user.
We will now move to another machine on the network and change the machines MAC address, you will require root privileges to change the MAC address. Before changing the MAC address you will want to see what the original MAC address is you can do this by issuing the ifconfig command as shown in Figure 3.1. Figure 3.2 shows the command used to change the MAC address.
linux-y2v4:~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:30:05:47:9A:7A
inet addr:192.168.2.141 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:5ff:fe47:9a7b/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:589 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:46023 (44.9 Kb) TX bytes:19197 (18.7 Kb)
Figure 3.1: Checking the original MAC address.
linux-y2v4:/var/lib/arpwatch # ifconfig eth0 hw ether 00:30:05:47:9A:7B
Figure 3.2: Changing the MAC address.
Once you have changed the MAC address from its original address you should receive an emailed by the 'arpwatch' utility informing you that someones MAC address has been changed as shown in Figure 3.3.
ip address: 192.168.2.141
mac address: 0:30:5:47:9a:7b
mac vendor: Fujitsu Siemens Computers
old mac address: 0:30:5:47:9a:7a
old mac vendor: Fujitsu Siemens Computers
timestamp: Monday, June 9, 2008 13:46:27 +0100
previous timestamp: Monday, June 9, 2008 13:45:34 +0100
delta: 53 seconds
Figure 3.3: MAC address changed alert.
In this small article we covered how to detect ARP poisoning attacks using the 'arpwatch' utility. There are a wide variety of ways to help mitigate ARP poisoning and some of these include installing and configuring IDS (Intrusion Detect Systems) and subnetting your network. I strongly recommend that you look into subnetting and how to configure IDS to defend against ARP poisoning.
If you encounter any problems you can send a TERM signal to the 'arpwatch' utility and then reissue the arpwatch command shown in Figure 2.2.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.