Defending ARP Spoofing

Hi all,

I want to build up a resource containing all possibilities to defend ARP spoofing. As I think ARP spoofing is one of the most powerful, easiest and underestimated attacks I want to know all your tricks, patches, anything that you know/apply to defend ARP spoofing.

I know the standard things to do (like static ARP entries and so on), what I want to know from you is something like:

-OS x has a patch y which helps preventing ARP spoofing (like antidote) or

-OS x in version y has a small built in ARP prevention (like SunOS) or

-Firewall/IDS x is able to prevent/detect ARP spoofing

Also welcome are new thoughts about ARP spoofing prevention (like S-ARP or Secure Link Layer).

Give me all your information, tricks and tips, so I can build up a complete resource.

Thanks a lot, Chris

Reply to
Loading thread data ...
["Followup-To:" header set to]

Multi-Language Hierarchy crossposting. Please feel free to fup in the language and hierarchy you prefer.

Chris :

The very best defense against ARP spoofing is to make sure your network design and security concept does not rely on MAC addresses for any of the following: Authentication, Authorisation, Identification.

Apparently not. The standard thing to do is to make your network design (and security concept) immune to this kind of threat.

What makes you think the bad guy would install such a patch? How would you enforce installation? How can you enforce that only stations with such a patch participate in your network?

What are your talking about?

Unlikely if the spoofing entity has any brains at all. (i.e. you can only catch complete dorks this way ;)

Simply seperate your Authentication and Authorisation from Ethernet layer parameters. This has been the way to make yourself immune against ARP spoofing attacks for decades now. IPSEC is one of the many technical solutions to accomplish this goal.

Give me all your money, bonds and deeds, so I can provide you with a complete response ;-)


Reply to
Juergen P. Meier

Here are some:

Use IPSec / VPN to verify client identities; Use any solution that includes client certificates, such as SSL; Use "port security" on switches to control which MAC addresses can access that switch port; Use physical security and personnel security to ensure that people on your internal network are relatively trusted; Train users to recognize and report the possible symptoms of ARP spoofing [this is rarely done in real life]; and/or, Harden all your hosts as best you can against compromise using the usual methods; Accept ARP spoofing as a theoretical risk.

I do not believe ARP spoofing happens all that frequently in real life. Generally, someone doing ARP spoofing has physical or remote access to a host on your internal network. Someone that is in the position to do ARP spoofing is usually in the position to do whatever they want to you given enough time.

Before wasting a lot of time and money trying to defend against ARP spoofing, be sure you've done enough to get rid of the more commonly exploited vulnerabilities on your systems first. I don't know too many people that can say they are in that position.

None of these really exist as far as I know.

Reply to
Karl Levinson, mvp Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.