Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Apr 2006 15:46:29 +0300 (EEST)
From:      Dmitry Pryanishnikov <>
To:        hshh <>
Subject:   Re: Still ARP Spoof question.
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


On Sat, 15 Apr 2006, hshh wrote:
> So, is it no way to defend arp spoof attack by FreeBSD?

  It has always worked for me to simply set up static ARP entries using

arp -S hostname ether_addr

At least, under RELENG_4 this prevents IP <=> MAC pair from being overwritten.
I believe that it isn't broken in newer branches. So ipfw isn't needed to
solve this particular task.

   However, you should'n forget that your FreeBSD host doesn't control
ARP tables in other computers and switches on your LAN. So this static ARP
can only guarantee that _your_ computer will always send IP packets to
the hardware with proper MAC. It's not sufficient to guard against ARP
spoofing just on one communication endpoint. Suppose you have the following

COMP1-----I Switch I-----COMP2
           I        I-----COMP3

Your computer is COMP1, you've set static ARP entry for COMP2 in it's ARP 
table. However, COMP2 still asks your (COMP1) MAC address. If malicious
COMP3 will send ARP reply with the self MAC address, COMP2 will send packets
for COMP1 to COMP3's MAC. Switch also has it's own MAC forwarding table, and
it can also be spoofed by COMP3's ARP replies (if switch isn't intelligent 
enough to drop such a replies like 3COM Superstacks with port security 
feature). You task can't be solved by just COMP1 whatever OS it's running.

Sincerely, Dmitry
Atlantis ISP, System Administrator
nic-hdl: LYNX-RIPE

Want to link to this message? Use this URL: <>