February 9th, 2006, 05:29 PM
ARP poisoning and host based firewalls
Anyone know a host based firewall for Windows that gives alerts whenever it detects someone else ARP poisoning the network? It should be easy to detect from the traffic and quick changes in the ARP cache. I want something I can recommend to folks wanting to use their laptop at local host spots.
February 9th, 2006, 08:51 PM
i dont know of one for windows
edited because of incorrect answer.
February 9th, 2006, 09:32 PM
Beleive it or not Zone Alarm Pro v6.1.737.000 does pipe up and alert you with a "suspicious behaviour detected" tab when you try a spot of ARP poisoning.
I dont think it detects a sudden change in the cache though, im still looking into it but I think it may be more to do with unusual traffic within a trusted zone or picking up on a foriegn address.
Its inconsistent though, sometime it picks it up, sometimes it doesnt, ive been messing around with it for a few weeks now on and off and havent quite worked out what sparks it off. I can definatley say its not changes to the actual ARP cache though.
Which makes me wonder why it displays a Suspicious Behaviour Tab??
PM me if you want to know what I have done so far.
February 9th, 2006, 09:58 PM
I had a look at your question and the awsner seems easy enough, But after googling for about 10 mins im not coming up with anything that could help. It seems like theres many ways to be protected from the attack but unless the hotspot you are using is using these methods it seems your out in the cold on this one.
and as for Zone Alarm i can't google any information on anything about it notifying you on arp poisoning attacks. Im not saying it doesn't but you would think since every skript kiddie out there has the power to do this attack that there would be a a notifier out there for the masses to protect against this
February 9th, 2006, 10:44 PM
Actually I don't think that the answer is that easy...
I think Iron is asking about a "consumer grade" firewall. Should such a firewall, that can be used in such varied environments, properly try to protect against such shinannegans (sp?) it would cause more problems than they are worth for the user and may end up cutting of all connections because a user who has no clue of what ARP is makes a bad decision.
Iron: I could be entirely wrong but I think you are asking a bit much from host based firewalls... I know my hardware industrial grade firewall "bitches" all the time about my Exchange server because we load balance it across two NIC's... The firewall can't understand that so it whines all the time that the MAC address of Blah, Blah, Blah has changed...
Then there's the other issue... If I ARP flood a switch your host may not see all the activity required to do it.. When the switch messes up your host may see only one MAC address change.. It's a bit much to kill the network because a MAC address changed on it... In a high security environment that may and probably is quite acceptable, but for sliding in and out of open WAPs it's not practical...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
February 9th, 2006, 11:13 PM
Just download and run iPig from those local hotspots.
“Everybody is ignorant, only on different subjects.” — Will Rogers
February 10th, 2006, 12:57 AM
I've already got VPNs, SSH tunnels and Tor for that. I just want to be able to know when someone is up to some shenanigans. In Linux I'd just run ARP watch, I found a link to something that is like it for Windows but the link is dead.
February 16th, 2006, 05:07 PM
I just came across the name of two programs for windows that watch arp tables on the windows platform and thought of this thread. warpwatch and winarp.