Defense against ARP spoofing in Linux

December 1, 2009

ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of services attacks. We are only able to prevent or minimize these attacks. In this article I tried to summarize some points that are practical and easy to apply to the Linux-based server systems regardless of whether the subject security update to the kernel and applications installed.

Some of these points in practice I will describe below:

1. Essential configuration files in “/etc/host.conf” as shown below.

order hosts,bind
multi on
nospoof on
spoofalert on

2. The below are some tweaks that can be done in “/etc/sysctl.conf” nor “/proc/sys/net/ipv4/…” to avoid make kinds of attacks. They pretty simple yet effective.

» Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

» Disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

» Do not accept ICMP redirects (prevent MITM attacks)

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

» Ignore ICMP broadcasts will stop gateway from responding to broadcast pings.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

» Ignore bogus ICMP errors.

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

» Do not send ICMP redirects.

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

» Do not accept IP source route packets.

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

» Turn on log Martian Packets with impossible addresses.

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

3. Use the DHCP service on the server to provide IP restrictions based on the client MAC address.

4. MAC address list of each client and its IP address defined by the following instructions.

arp -s 192.168.0.24 00:9a:7c:3d:15:8f

or can be defined in the file “/etc/ethers” like this.

192.168.0.24 00:9a:7c:3d:15:8f
192.168.0.25 00:e9:18:7c:15:78
192.168.0.26 00:18:15:3d:78:8c

… etc and execute with command “arp -f

If your server has two network cards and one of them functioned as a DMZ connected to the internet, please add it manually like this.

» assumed “eth1” as a DMZ interface.

arp -i eth1 -s 210.20.152.30 00:03:19:db:8a:58

ensure defined IP and MAC address each client network card is persistent every time the server reboot.

5. Make sure the rules in your packet filtering using IPTables to block the following network address.

Private Networks (RFC 1918) --
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

IANA Reserved --
0.0.0.0/8 - Historical Broadcast
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link Local Networks
192.0.2.0/24 - TEST-NET
240.0.0.0/5 - Class E Reserved
248.0.0.0/5 - Unallocated
255.255.255.255/32 - Broadcast

Example:

iptables -A INPUT -j DROP -s 0.0.0.0/8
iptables -A INPUT -j DROP -d 0.0.0.0/8
iptables -A FORWARD -j DROP -s 0.0.0.0/8
iptables -A FORWARD -j DROP -d 0.0.0.0/8
iptables -A OUTPUT -j DROP -d 0.0.0.0/8

6. Done.

This article deals only with the things that the fundamental only, please improvise to complete it.

Advertisements

One Response to “Defense against ARP spoofing in Linux”

  1. yoursurprise-1 Says:

    Hello there! Would you mind if I share your blog with my facebook group? There’s a lot of people that I think would really appreciate your content. Please let me know. Cheers


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: