# The Ubuntu Forum Community > Ubuntu Specialised Support > Security > [all variants] Guarding against ARP poisoning attacks

## DizerX

Hey there everyone  :Smile: 

I'm using Ubuntu for over 3 months now, you can call me a newbie, my problem is that i'm on a LAN which i use to access the internet and i share my connection with others, there's an idiot on my network using some spoofing software to stop others from accessing the internet.

On Windows, i have the tools to guard my ARP table and even to cut him off (Revenge is sweet  :Very Happy: ), but on Ubuntu, i'm totally helpless.

Even if i use "arp -s" command on linux to make the true MAC address static, that idiot is spoofing both ways, means that even if i do this, he still stops the data stream that the router sends to me, so it's useless.

I need some way -besides fixing the MAC of the router on my local machine- to send constant continuous ARP packet requests to the router to tell the router my real MAC address, so as to keep the data flow streaming smoothly.

Please guys i need your help, i can't even update my Ubuntu!

Note: please don't forget that i'm very new to linux, so please be patient and explain everything in details.

Thank you very much...

----------


## caljohnsmith

Check out "ARPon":

https://sourceforge.net/projects/arpon/

And also "ARP Watch":

http://www.securityfocus.com/tools/142

Let me know how it goes, I will be interested in your success.  :Smile:

----------


## DizerX

Thanks you veeeeeery much, but just like i said, i'm a newbie, i don't even know how to compile these source code files of ArpON  :Very Happy: 

Isn't there an already compiled package or something, or else please tell me the commands to compile and install it.

Thank you very much an sorry for bothering you  :Smile:

----------


## caljohnsmith

After reading your first post more carefully, I realized that those two programs I listed will only detect ARP changes in your computers ARP cache; I don't think they can actually prevent the ARP poisoning from happening, which is of course what you want. Which program are you using in Windows to prevent the ARP poisoning?

----------


## DizerX

First, i used a program i wrote myself in VB, it's whole idea is that it detects the real MAC address of the router and stores it in a variable, then it keeps checking the ARP cache table every 1 ms for changes, if any change occured in the MAC address of the router, then this is a spoof attemp, the program then clears the ARP cache table, and pings the router, this here does two things, first it cleans my local table, second, when it pings the router, it sends along an ARP packet request, so it tells the router that "here i am i'm at MAC address xx-xx-xx-xx-xx-xx".

It keeps repeating this until the spoof attemp is stopped, it's not a very smart way you know but it worked really nice.

The second software which i'm using now is a little bit smarter, it's called StopCut(http://www.mansoura.biz/), it uses the "arp -s" command to make the MAC address static, then it keeps sending arp packet requests constantly and continuously to the router, which also does the trick.

Is there anything similar in linux? Trust me if i knew how to write a software in Python or C i would've done it but i only know VB  :Very Happy: .

Thanks alot

----------


## caljohnsmith

It sounds like you could easily create a bash script to do everything you  want, but only if you know the command in linux to send an ARP announcement to the router with your MAC address. I know various ARP programs for requesting the MAC address for a given IP address, but I don't know offhand how to do the opposite and announce the MAC. I would think there has got to be an easy way to do it, and if you can't find an easy way I bet that a program like "ettercap" will surely do it. 

If you can find a way to do the ARP announcement part, I think we can put together a bash script to do basically what that "StopCut" program does.  :Smile:

----------


## DizerX

Exactly, but requesting a MAC address from a specific IP requires sending your real MAC address, so sending a request to the router will fix its ARP table and update it with my MAC address, it will do the trick just fine.

I searched the internet and i found a command called "arping", i think it does what i think it does, if you know any better commands please tell me.

I think right now i do need a script now to keep repeating this command forever or something  :Smile: 

I also think i'll go to sleep now, i haven't slept for a pretty long time trying to fix some weird driver issues in my Ubuntu  :Very Happy: , and when i wake up i'll start trying to apply this idea, i hope it works.

Thanks alot and see you tomorrow  :Very Happy:

----------


## caljohnsmith

Well if you think that a simple ARP request to the router will be enough for the router to update its own ARP table with your computer's MAC, you can use arping to do that with:


```
arping -c1 -I wlan0 192.168.1.1
```

Where wlan0 is your wireless NIC and you can replace the address above with your router's own IP. The above command sends a single request and will return your router's MAC address. Before we try to put it in a script, can you verify that the above command actually causes the router to update its ARP table with your computer's MAC? That's really the key here I think.  :Smile:

----------


## cdenley

> Well if you think that a simple ARP request to the router will be enough for the router to update its own ARP table with your computer's MAC, you can use arping to do that with:
> 
> 
> ```
> arping -c1 -I wlan0 192.168.1.1
> ```
> 
> Where wlan0 is your wireless NIC and you can replace the address above with your router's own IP. The above command sends a single request and will return your router's MAC address. Before we try to put it in a script, can you verify that the above command actually causes the router to update its ARP table with your computer's MAC? That's really the key here I think.


Are arp tables updated in response to ARP requests? You can send ARP replies with arping.


```
sudo arping -c 1 -A 192.168.1.100
```

You can make a script like this


```
#!/bin/sh
while [ 1 ]
do
arping -q -c 1 -A 192.168.1.100
sleep 0.5
done
```

This will broadcast an arp reply with your correct MAC addres every half second so other people won't be impersonating you. You will, however, be competing with the attacker, since he will be doing the same thing. A solution like this might help, but this person will keep wreaking havoc on your switched network until your network admin does something about it.

----------


## caljohnsmith

> Are arp tables updated in response to ARP requests? You can send ARP replies with arping.
> 
> 
> ```
> sudo arping -c 1 -A 192.168.1.100
> ```


+1. If the ARP tables in his router are updated in response to unrequested replies using your above method, then I think your method above is a lot more ideal then doing an ARP request as I gave in my previous post; with a simple ARP reply, his computer wouldn't need to wait for the reply like if he does an ARP request like I gave. 



> You can make a script like this
> 
> 
> ```
> #!/bin/sh
> while [ 1 ]
> do
> arping -q -c 1 -A 192.168.1.100
> sleep 0.5
> ...


One small clarification I think we should make is that the above IP should be for his router, not his computer (I think it is worth mentioning that in case it isn't obvious). Also, just one thing to add to your script though, I think he should also add inside that loop:


```
arp -s 192.168.1.150 00:14:BF:D6:CD:2A
```

Where the IP and MAC above is for his computer. I think that is important because it sounds like the hacker is poisoning both his own ARP cache and also the router's ARP table.

----------


## timcredible

why don't you just call the support people for whatever lan you're using and ask them to find the culprit and kick them off the network?

----------


## cdenley

> +1. If the ARP tables in his router are updated in response to unrequested replies using your above method, then I think your method above is a lot more ideal then doing an ARP request as I gave in my previous post; with a simple ARP reply, his computer wouldn't need to wait for the reply like if he does an ARP request like I gave. 
> 
> One small clarification I think we should make is that the above IP should be for his router, not his computer (I think it is worth mentioning that in case it isn't obvious). Also, just one thing to add to your script though, I think he should also add inside that loop:
> 
> 
> ```
> arp -s 192.168.1.150 00:14:BF:D6:CD:2A
> ```
> 
> Where the IP and MAC above is for his computer. I think that is important because it sounds like the hacker is poisoning both his own ARP cache and also the router's ARP table.


It won't work if you use the router's IP address. You must use your own IP address. It will broadcast it to the entire network, so there is no need to specify the destination. I believe the "arp -s" command is permanent, so I don't think a spoofed reply would change the arp entry for the router. I could be wrong, though.

----------


## DizerX

Thanks alot to all of you guys, and i already informed the admin and told him the MAC & IP of this attacker and he told me that he'll warn him.

But now i need someone to attack me again to test these codes  :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

As for the discussion, i've studied ARP poisoning for a long time and like i mentioned before i did write a -not so bad- software in visual basic to guard against the attacks,so i have some good experience with the whole ARP thing, i believe that every ARP packet sent, whether it's a reply or a request, leads to updating the destination with the MAC of the source.

So now, i only need a loop which keeps sending ARP (requests or replies) to the destination, and as for the local ARP table, the "arp -s" command if it was used once it is fixed until ubuntu restarts, any recieved external ARP packets won't affect my local table after "arp -s".

So i just have to use "arp -s" once, and use "arping" continuously.

"arp -s" is used with the IP and MAC address of the router, i read somewhere however that if you used it to fix your own IP and MAC on your local table it leads to a wide broadcast on the network, so it may fix it too, but i'm not sure about this piece of information.

I'll test our theories as soon as i get the chance, if anyone has anymore ideas please share it  :Smile: 

Thanks alot guys

----------


## SomeoneSimple

Hi there. I hope you won't mind me kicking up this thread. 

I am actually roughly in the same position as DizerX, except for the fact that you could call my network an 'unmanaged testing environment' (more precisely, it is an school for digital forensics). Recently ARP poisoning is explained and almost everyone in my classes try to ARP poison the whole subnet (either as a prank, or accidentally).

Since I like some privacy and since letting the subnet being ARP poisoned by a single PC (or worse, a notebook) results in a seriously slow internet experience, I'd like some ARP-spoof protection. 

So, how to do this? Will this script do the job? 



```
#!/bin/sh
arp -s 192.168.1.60 00:11:22:33:44:55
while [ 1 ]
do
arping -q -c 1 -A 192.168.1.1
sleep 0.5
done
```

"192.168.1.60 00:11:22:33:44:55" = my own IP & MAC
"192.168.1.1" = gateway/router

Would that be sufficient, or are there other/better alternatives. Also, is there a way for giving me a heads-up when (or even better, by who) I am being ARP poisoned?

----------


## zero-n

You can try to use ( ArpOn ) from this link it's .deb :

http://packages.ubuntu.com/jaunty/i386/arpon/download

ArpOn used from detecting and stopping ARP poisoning if you are in static or dynamic network environment it's used SARPI and DARPI in order to stop ARP poisoning.

I hope it will work with you.

----------


## zero-n

I suffer from this problem too, but i think i got it solved by running this script you can maintain your ARP table.



```
#!/bin/sh
while [ 1 ]
do
arp -s x.x.x.x yy:yy:yy:yy:yy:yy
sleep 0.1
done
```

where ( x.x.x.x ) is your router IP address & ( yy:yy:yy:yy:yy:yy ) is your router MAC address.
( arp -s ) command is used to specify a static ARP entry in the ARP table so by the above script you are rewriting the correct ARP entry of your router 10 times per second. I thought this is enough to maintain your ARP table against ARP poisoning attack.

thanks for cdenley for the script i have only done a few modification on it.

----------


## MonkeyMayhem

I tried running the script(s) and could not get it to work.

WARNING: Interface is ignored: Operation not permitted
bind: Cannot assign requested address

I'm rather new to ubuntu and believe someone is ARP poisoning my router and/or computer.

----------


## KIAaze

> I tried running the script(s) and could not get it to work.
> 
> WARNING: Interface is ignored: Operation not permitted
> bind: Cannot assign requested address
> 
> I'm rather new to ubuntu and believe someone is ARP poisoning my router and/or computer.


You probably need to run it as root.
Try running the "arp -s x.x.x.x yy:yy:yy:yy:yy:yy" command alone first.
If it only work as root, the script will only work as root.

Of course a cleaner and better way would be to install "arpon" as was suggested here:
http://packages.ubuntu.com/jaunty/arpon


```
sudo apt-get install arpon
```

If you still want to run the script:
"Running as root" on Ubuntu basically means run it with sudo.  :Wink: 
Afterwards, if you want to always run it on boot, just add a line like this to /etc/rc.local :


```
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/path_to_script/script.sh &

exit 0
```

Anyway, very interesting thread. I had never heard about ARP poisoning or even digital forensics schools. 8)
My only knowledge of ARP requests was from WEP cracking with aircrack-ng.

----------


## MonkeyMayhem

I had installed arpon and used it for a short time.  It was on for 1-2 hours before I noticed my laptop was getting very hot.  I checked cpu usage, being 100% and then the temperature.  It was at 80 C.  At first I wasn't sure what was causing the high cpu usage.  I had installed a number of programs.  Only after I removed arpon did everything went back down to normal.

----------


## KIAaze

Well then use the script if it works. :/
I haven't tried arpon myself and don't really plan to right now since I wouldn't even know how to test if it works.

You could also try playing with command-line options: http://arpon.sourceforge.net/manpage.html


```
-m (--ping-timeout) <"Timeout">
               Sets Arp Ping response timeout (Default: 500 ms).
 -u (--sarpi-timeout) <"Timeout">
              Sets Arp Cache refresh timeout (Default: 10 minutes).
  -z (--darpi-timeout) <"Timeout">
              Sets DARPI Cache entry timeout (Default: 500 milliseconds).
```

Documentation on the official arpon site: http://arpon.sourceforge.net/documentation.html

----------

