From owner-freebsd-questions@FreeBSD.ORG Wed Apr 5 13:19:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7600916A401 for ; Wed, 5 Apr 2006 13:19:16 +0000 (UTC) (envelope-from michal.mertl@i.cz) Received: from vidle.i.cz (vidle.i.cz [193.179.36.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56D1A43D73 for ; Wed, 5 Apr 2006 13:19:12 +0000 (GMT) (envelope-from michal.mertl@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id 868612E005; Wed, 5 Apr 2006 15:19:11 +0200 (CEST) Received: from localhost (localhost.i.cz [127.0.0.1]) by ns.i.cz (Postfix) with SMTP id 687A2122A06; Wed, 5 Apr 2006 15:19:11 +0200 (CEST) X-AV-Checked: Wed Apr 5 15:19:11 2006 ns.i.cz Received: from genius.i.cz (genius.i.cz [192.168.129.68]) by ns.i.cz (Postfix) with ESMTP id 62085122A03; Wed, 5 Apr 2006 15:19:11 +0200 (CEST) From: Michal Mertl To: Mark Jayson Alvarez In-Reply-To: <20060405090338.74765.qmail@web51610.mail.yahoo.com> References: <20060405090338.74765.qmail@web51610.mail.yahoo.com> Content-Type: text/plain Date: Wed, 05 Apr 2006 15:19:06 +0200 Message-Id: <1144243147.765.18.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Attacking our pc router at work X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2006 13:19:16 -0000 Mark Jayson Alvarez wrote: > Hi, > I have one question. What if I change my ip and mac address at the > same time to that of our pcrouter's ip and mac... Will this going to > kick out that router in our network, causing the rest of the entire > lan to be out of service?? No one's gonna caught me right?? Arpwatch > can only watch if an ip address has moved to another mac address but > not when both ip and mac has moved to another ip and mac... Do you > know any possible solution to this?? Your question is off topic for this list. Use inteligent switches (not hubs) and port security (you can allow only a specific MAC address behind a switch port). You could also use static entries on the switch for some MAC addresses (entry on a switch is a MAC address + port behind which the address can be found) but that isn't as safe. An attacker can generate traffic with lots of source MAC addresses. Every switch has limited memory to store the MAC addresses and usually when the table is full it starts working as a hub. A sophisticate attacker may still be able to contaminate end stations - if he sends a gratuitous ARP reply to a station where he pretends he is the router (changes the MAC address), he will receive the traffic for the router and can also then make man-in-the-middle attacks (insert himself into forwarding chain of the station). More sophisticated solution is using 802.1x - port-based authentication - a switch will only start forwarding traffic to you once you authenticate and you of course shouldn't be able to authenticate as the server. On FreeBSD you can disable ARP and/or create static ARP entries and it will protect you a little but you also need to configure some protection on the network infrastructure. It's quite a complex issue to protect against this type of attack and I am no real guru so please take what I said with a grain of salt. HTH Michal