Tuesday, 1 September 2009

ARPWatch

Another answer to ARP poisoning attacks is in monitoring systems.

Yesterday I mentioned ArpFreeze. An alternative solution is Arpwatch.

Arpwatch monitors network activity for ARP/IP parings. It uses this information to create a database that can be parsed and set to alert by email on changes. This way, when an alternate ARP/IP match comes up, you will know about it. This is a common tool in the *NIX world and can be easily set to monitor server systems and selected workstations for arp poisoning attacks.

One thing to note is that these types of tools do loittle to help in DHCP environments (though they can product some useful DHCP allocation statistics).

Arpwatch is based on libpcap. It can also be sent information from captures and this can be used to report on events after the fact (e.g. forensic and incident handling). This is NOT the default behviour and this does requires some alteration in hte standard program use and behaviour.

A cludge, but the simplest means of using Arpwatch with a pcap file is to replay it. Use a loopback or otherwise null interface and send a packet capture to it. Have Arpwatch listen and there you go. A tool such as Netdude is effective for this.

Another alternative is ArpSNMP

Arpsnmp has the same database features of arpwatch. The distinction is that it uses an external agent for the collection of data, specifically, an SNMP collector. Arpfetch is a script that comes with the package and which deploys snmpwalk (from the CMU SNMP package) to collect statistics.

The ArpWatch man page is available online.

LinkIn coming days I shall be covering how to use this tool for after the event collection and processing of information...


No comments: