Static ARP entry to fight against fake routers and ARP poisoning

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












I am currently studying about arp spoofing attack (mitm).
Most common linux distributions seems to be by default exposed to these kind of attack.
However, a simple solution seems to set gateway arp entry in static state.



Is there a way with NetworkManager (dispatcher.d) to automatically set a gateway arp entry in static state (or same effect)? Or there is a parameter to set in sysctl.conf avoid arp poisoning? Or maybe another way to achieve this?







share|improve this question


























    up vote
    3
    down vote

    favorite












    I am currently studying about arp spoofing attack (mitm).
    Most common linux distributions seems to be by default exposed to these kind of attack.
    However, a simple solution seems to set gateway arp entry in static state.



    Is there a way with NetworkManager (dispatcher.d) to automatically set a gateway arp entry in static state (or same effect)? Or there is a parameter to set in sysctl.conf avoid arp poisoning? Or maybe another way to achieve this?







    share|improve this question
























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I am currently studying about arp spoofing attack (mitm).
      Most common linux distributions seems to be by default exposed to these kind of attack.
      However, a simple solution seems to set gateway arp entry in static state.



      Is there a way with NetworkManager (dispatcher.d) to automatically set a gateway arp entry in static state (or same effect)? Or there is a parameter to set in sysctl.conf avoid arp poisoning? Or maybe another way to achieve this?







      share|improve this question














      I am currently studying about arp spoofing attack (mitm).
      Most common linux distributions seems to be by default exposed to these kind of attack.
      However, a simple solution seems to set gateway arp entry in static state.



      Is there a way with NetworkManager (dispatcher.d) to automatically set a gateway arp entry in static state (or same effect)? Or there is a parameter to set in sysctl.conf avoid arp poisoning? Or maybe another way to achieve this?









      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 3 at 12:55









      Jeff Schaller

      31.4k846105




      31.4k846105










      asked Jan 30 at 19:41









      Inglebard

      163




      163




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote













          Conceptually yes, pinning some MAC addresses is a possible solution (as per @daniel's answer above), but there's many drawbacks to it:



          • Whilst you can add static ARP entries, your attacker can still spoof the gateway and your MACs and both systems will parse the attackers' frames;

          • If your system is getting its L3 configuration via DHCP, the attacker can attack that to ensure you are using a different gateway, in which case pinning the MAC of the real gateway will make no difference;

          • You will struggle to maintain a list of static entries, since all systems will need configuring manually;





          share|improve this answer
















          • 1




            Spoof/poisoning is indeed the problem. Quite good answer +1
            – Rui F Ribeiro
            Feb 19 at 18:03

















          up vote
          0
          down vote













          I advise you to first test it with:



          arp -s router_hostname router_ethernet_addr


          where router_ethernet_addr is the MAC address (Ethernet or 802.11) address of your router.
          To check on your particular Linux distribution, read:



          man arp


          When this is OK, I suggest to reject any dynamical adding to your arp table with:



          sysctl 'arp_accept=0'
          sysctl 'drop_gratuitous_arp=1'


          To check this sysntax, read:



          man sysctl
          man sysctl.conf


          Then test to make a fake router reply within your network and check if its Ethernet (or 802.11) address is accepted or not.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f420774%2fstatic-arp-entry-to-fight-against-fake-routers-and-arp-poisoning%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            Conceptually yes, pinning some MAC addresses is a possible solution (as per @daniel's answer above), but there's many drawbacks to it:



            • Whilst you can add static ARP entries, your attacker can still spoof the gateway and your MACs and both systems will parse the attackers' frames;

            • If your system is getting its L3 configuration via DHCP, the attacker can attack that to ensure you are using a different gateway, in which case pinning the MAC of the real gateway will make no difference;

            • You will struggle to maintain a list of static entries, since all systems will need configuring manually;





            share|improve this answer
















            • 1




              Spoof/poisoning is indeed the problem. Quite good answer +1
              – Rui F Ribeiro
              Feb 19 at 18:03














            up vote
            1
            down vote













            Conceptually yes, pinning some MAC addresses is a possible solution (as per @daniel's answer above), but there's many drawbacks to it:



            • Whilst you can add static ARP entries, your attacker can still spoof the gateway and your MACs and both systems will parse the attackers' frames;

            • If your system is getting its L3 configuration via DHCP, the attacker can attack that to ensure you are using a different gateway, in which case pinning the MAC of the real gateway will make no difference;

            • You will struggle to maintain a list of static entries, since all systems will need configuring manually;





            share|improve this answer
















            • 1




              Spoof/poisoning is indeed the problem. Quite good answer +1
              – Rui F Ribeiro
              Feb 19 at 18:03












            up vote
            1
            down vote










            up vote
            1
            down vote









            Conceptually yes, pinning some MAC addresses is a possible solution (as per @daniel's answer above), but there's many drawbacks to it:



            • Whilst you can add static ARP entries, your attacker can still spoof the gateway and your MACs and both systems will parse the attackers' frames;

            • If your system is getting its L3 configuration via DHCP, the attacker can attack that to ensure you are using a different gateway, in which case pinning the MAC of the real gateway will make no difference;

            • You will struggle to maintain a list of static entries, since all systems will need configuring manually;





            share|improve this answer












            Conceptually yes, pinning some MAC addresses is a possible solution (as per @daniel's answer above), but there's many drawbacks to it:



            • Whilst you can add static ARP entries, your attacker can still spoof the gateway and your MACs and both systems will parse the attackers' frames;

            • If your system is getting its L3 configuration via DHCP, the attacker can attack that to ensure you are using a different gateway, in which case pinning the MAC of the real gateway will make no difference;

            • You will struggle to maintain a list of static entries, since all systems will need configuring manually;






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 19 at 17:59









            Pedro

            59429




            59429







            • 1




              Spoof/poisoning is indeed the problem. Quite good answer +1
              – Rui F Ribeiro
              Feb 19 at 18:03












            • 1




              Spoof/poisoning is indeed the problem. Quite good answer +1
              – Rui F Ribeiro
              Feb 19 at 18:03







            1




            1




            Spoof/poisoning is indeed the problem. Quite good answer +1
            – Rui F Ribeiro
            Feb 19 at 18:03




            Spoof/poisoning is indeed the problem. Quite good answer +1
            – Rui F Ribeiro
            Feb 19 at 18:03












            up vote
            0
            down vote













            I advise you to first test it with:



            arp -s router_hostname router_ethernet_addr


            where router_ethernet_addr is the MAC address (Ethernet or 802.11) address of your router.
            To check on your particular Linux distribution, read:



            man arp


            When this is OK, I suggest to reject any dynamical adding to your arp table with:



            sysctl 'arp_accept=0'
            sysctl 'drop_gratuitous_arp=1'


            To check this sysntax, read:



            man sysctl
            man sysctl.conf


            Then test to make a fake router reply within your network and check if its Ethernet (or 802.11) address is accepted or not.






            share|improve this answer
























              up vote
              0
              down vote













              I advise you to first test it with:



              arp -s router_hostname router_ethernet_addr


              where router_ethernet_addr is the MAC address (Ethernet or 802.11) address of your router.
              To check on your particular Linux distribution, read:



              man arp


              When this is OK, I suggest to reject any dynamical adding to your arp table with:



              sysctl 'arp_accept=0'
              sysctl 'drop_gratuitous_arp=1'


              To check this sysntax, read:



              man sysctl
              man sysctl.conf


              Then test to make a fake router reply within your network and check if its Ethernet (or 802.11) address is accepted or not.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                I advise you to first test it with:



                arp -s router_hostname router_ethernet_addr


                where router_ethernet_addr is the MAC address (Ethernet or 802.11) address of your router.
                To check on your particular Linux distribution, read:



                man arp


                When this is OK, I suggest to reject any dynamical adding to your arp table with:



                sysctl 'arp_accept=0'
                sysctl 'drop_gratuitous_arp=1'


                To check this sysntax, read:



                man sysctl
                man sysctl.conf


                Then test to make a fake router reply within your network and check if its Ethernet (or 802.11) address is accepted or not.






                share|improve this answer












                I advise you to first test it with:



                arp -s router_hostname router_ethernet_addr


                where router_ethernet_addr is the MAC address (Ethernet or 802.11) address of your router.
                To check on your particular Linux distribution, read:



                man arp


                When this is OK, I suggest to reject any dynamical adding to your arp table with:



                sysctl 'arp_accept=0'
                sysctl 'drop_gratuitous_arp=1'


                To check this sysntax, read:



                man sysctl
                man sysctl.conf


                Then test to make a fake router reply within your network and check if its Ethernet (or 802.11) address is accepted or not.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Feb 3 at 10:17









                daniel Azuelos

                687317




                687317






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f420774%2fstatic-arp-entry-to-fight-against-fake-routers-and-arp-poisoning%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?