Results 1 to 8 of 8

Thread: ARP poisoning and host based firewalls

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    ARP poisoning and host based firewalls

    Anyone know a host based firewall for Windows that gives alerts whenever it detects someone else ARP poisoning the network? It should be easy to detect from the traffic and quick changes in the ARP cache. I want something I can recommend to folks wanting to use their laptop at local host spots.

  2. #2
    i dont know of one for windows

    edited because of incorrect answer.

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Beleive it or not Zone Alarm Pro v6.1.737.000 does pipe up and alert you with a "suspicious behaviour detected" tab when you try a spot of ARP poisoning.

    I dont think it detects a sudden change in the cache though, im still looking into it but I think it may be more to do with unusual traffic within a trusted zone or picking up on a foriegn address.

    Its inconsistent though, sometime it picks it up, sometimes it doesnt, ive been messing around with it for a few weeks now on and off and havent quite worked out what sparks it off. I can definatley say its not changes to the actual ARP cache though.
    Which makes me wonder why it displays a Suspicious Behaviour Tab??


    PM me if you want to know what I have done so far.

  4. #4
    Junior Member
    Join Date
    Feb 2006
    Posts
    17
    I had a look at your question and the awsner seems easy enough, But after googling for about 10 mins im not coming up with anything that could help. It seems like theres many ways to be protected from the attack but unless the hotspot you are using is using these methods it seems your out in the cold on this one.

    and as for Zone Alarm i can't google any information on anything about it notifying you on arp poisoning attacks. Im not saying it doesn't but you would think since every skript kiddie out there has the power to do this attack that there would be a a notifier out there for the masses to protect against this

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Actually I don't think that the answer is that easy...

    I think Iron is asking about a "consumer grade" firewall. Should such a firewall, that can be used in such varied environments, properly try to protect against such shinannegans (sp?) it would cause more problems than they are worth for the user and may end up cutting of all connections because a user who has no clue of what ARP is makes a bad decision.

    Iron: I could be entirely wrong but I think you are asking a bit much from host based firewalls... I know my hardware industrial grade firewall "bitches" all the time about my Exchange server because we load balance it across two NIC's... The firewall can't understand that so it whines all the time that the MAC address of Blah, Blah, Blah has changed...

    Then there's the other issue... If I ARP flood a switch your host may not see all the activity required to do it.. When the switch messes up your host may see only one MAC address change.. It's a bit much to kill the network because a MAC address changed on it... In a high security environment that may and probably is quite acceptable, but for sliding in and out of open WAPs it's not practical...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Just download and run iPig from those local hotspots.

    http://www.iopus.com/ipig/
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by brokencrow
    Just download and run iPig from those local hotspots.

    http://www.iopus.com/ipig/
    I've already got VPNs, SSH tunnels and Tor for that. I just want to be able to know when someone is up to some shenanigans. In Linux I'd just run ARP watch, I found a link to something that is like it for Windows but the link is dead.

  8. #8
    I just came across the name of two programs for windows that watch arp tables on the windows platform and thought of this thread. warpwatch and winarp.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •