Protection against ARP Spoofing Malware
“Why my connection so sloww”
“Where the hell g.asdafdgfgf.com cmfrom, appear on my browser status,
each time i try open a website ?”
“I cann’t open Youtube …!!@@#$$@%, it so sloww”
well that’s a snip complain from my friend at office.
My office have a dedicated internet connection, and each client NAT-ed to connect to internet with private IP 192.168.1.0/24
my default gateway ip 192.168.1.1
Ok lets get dirty 
on the gateway (192.168.1.1)
tcpdump -ni eth1 'arp'here the result
... 13:34:39.950832 arp reply 192.168.1.3 is-at 00:11:11:5f:eb:8d (oui Unknown) 13:34:39.950865 arp reply 192.168.1.5 is-at 00:11:11:5f:eb:8d (oui Unknown) 13:34:39.950893 arp reply 192.168.1.6 is-at 00:11:11:5f:eb:8d (oui Unknown) 13:34:39.950924 arp reply 192.168.1.7 is-at 00:11:11:5f:eb:8d (oui Unknown) ...
that’s enaugh showing that ARP spoofing attack does happen, which indicate of malware infection on one of my friends PC, found the source of problem, now how can I remove it ?
finding the PC that could be infected
at my gateway:
arp -an | grep 00:11:11:5F:EB:8D ? (192.168.1.198) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.13) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.70) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.201) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.128) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.68) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.205) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.106) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.148) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.190) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.53) at 00:11:11:5F:EB:8D [ether] on eth1 ? (192.168.1.120) at 00:11:11:5F:EB:8D [ether] on eth1
darn,
at my laptop
arp -an | grep 0:11:11:5f:eb:8d ? (192.168.1.243) at 0:11:11:5f:eb:8d on en1 [ethernet]
so after reinstalling the PC that have local ip 192.168.1.243 no more spoofing on my network,
…. one week later, show up again
finally i decided make a static mac for each client address on the gateway,
with perl come in help this is easy task
#!/usr/bin/perl # created by rodotelmi, july 21, 2008 # arp spoof problem on my local network # for ($i = 2;$i < 254;$i++) { @res_ping = `arping -I eth1 -c 1 192.168.1.$i`; $j = 0; $ip_owner = ""; $mac_owner = ""; foreach $line (@res_ping) { if($line =~ m/Unicast reply from (.*) \[.(.*)\]/) { $ip_owner = $1; $mac_owner = $2; break; } } if($ip_owner) { print "Setup ARP static for $ip_owner \t $mac_owner\n"; $res = `arp -s $ip_owner $mac_owner`; } }
more info:
ARP Spoofing Malware
arping
Perl scripting language
Recent URLs tagged Arp - Urlrecorder said,
Wrote on September 21, 2008 @ 9:31 pm
[...] Recent public urls tagged “arp” → Protecting against ARP Spoofing Malware [...]