Onnowpurbo: New page: Sumber: http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/ ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of servic...

2012-10-01T06:09:49Z

New page: Sumber: http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/ ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of servic...

New page

Sumber: http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/

ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of services attacks. We are only able to prevent or minimize these attacks. In this article I tried to summarize some points that are practical and easy to apply to the Linux-based server systems regardless of whether the subject security update to the kernel and applications installed.

Some of these points in practice I will describe below:

1. Essential configuration files in “/etc/host.conf” as shown below.

order hosts,bind
multi on
nospoof on
spoofalert on

2. The below are some tweaks that can be done in “/etc/sysctl.conf” nor “/proc/sys/net/ipv4/…” to avoid make kinds of attacks. They pretty simple yet effective.

» Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

» Disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

» Do not accept ICMP redirects (prevent MITM attacks)

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

» Ignore ICMP broadcasts will stop gateway from responding to broadcast pings.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

» Ignore bogus ICMP errors.

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

» Do not send ICMP redirects.

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

» Do not accept IP source route packets.

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

» Turn on log Martian Packets with impossible addresses.

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

3. Use the DHCP service on the server to provide IP restrictions based on the client MAC address.

4. MAC address list of each client and its IP address defined by the following instructions.

arp -s 192.168.0.24 00:9a:7c:3d:15:8f

or can be defined in the file “/etc/ethers” like this.

192.168.0.24 00:9a:7c:3d:15:8f
192.168.0.25 00:e9:18:7c:15:78
192.168.0.26 00:18:15:3d:78:8c

… etc and execute with command “arp -f“

If your server has two network cards and one of them functioned as a DMZ connected to the internet, please add it manually like this.

» assumed “eth1” as a DMZ interface.

arp -i eth1 -s 210.20.152.30 00:03:19:db:8a:58

ensure defined IP and MAC address each client network card is persistent every time the server reboot.

5. Make sure the rules in your packet filtering using IPTables to block the following network address.

Private Networks (RFC 1918) --
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

IANA Reserved --
0.0.0.0/8 - Historical Broadcast
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link Local Networks
192.0.2.0/24 - TEST-NET
240.0.0.0/5 - Class E Reserved
248.0.0.0/5 - Unallocated
255.255.255.255/32 - Broadcast

Example:

iptables -A INPUT -j DROP -s 0.0.0.0/8
iptables -A INPUT -j DROP -d 0.0.0.0/8
iptables -A FORWARD -j DROP -s 0.0.0.0/8
iptables -A FORWARD -j DROP -d 0.0.0.0/8
iptables -A OUTPUT -j DROP -d 0.0.0.0/8

6. Done.

==Referensi==

* http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/

==Pranala Menarik==

* [[Anti NetCut]]
* [[Pertahanan Melawan ARP spoofing di Linux]]
* [[Mikrotik: Setup untuk Anti Netcut]]
* [[Keamanan Jaringan]]
* [[Linux Howto]]

[[Category: Network Security]]

Pertahanan Melawan ARP spoofing di Linux - Revision history

Onnowpurbo: New page: Sumber: http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/ ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of servic...