Tag Archives: mac address

Quick tip: harden your ARP table the easy way (Linux)

ARP spoofing is a good old attack on LAN and still a devastating one, leading to trafic interception (MiTM). You may want to make sure that nobody is tricking on you at office, at a security conference, at you local coffee shop, etc.

Yet, most networks do not have port security and ARP inspect on their switches to mitigate such attacks. So you have to count on yourself.

Most people know how to protect a client , e.g. by maintaining a static mapping of MAC / IP addresses on the operating systems. But almost no one does it, because it would be a pain to manage…

But, really ? No, here is what I do to get a reasonable protection.

I do a few compromises at first:

  1. I am not looking to protect ALL my traffic toward  other peers on the LAN, but at least outbound communications with the gateway and, optionally, with a few critical servers.
  2. An attacker may still poison the gateway and eavesdrop on responses directed to my machine, and get some interesting stuff anyway.
  3. So, this is not a protection on its own. You have to think defense-in-depth : encryption on all your services (TLS), VPN, etc. Especially, depending on where you are, do not rely on the DNS / DHCP servers.

With that said, what follows is a hardening move that you can do on most of Linux distributions, with little pain.

Get the MAC address of the gateway, either by finding it out physically (tag) or by checking it at a safe moment (when ARP spoofing is supposedly not happening).

Fill in a flat file, like /etc/ethers, with mappings like :

 00:11:22:33:44:55  1.2.3.4

Now, NetworkManager will do all the magic.

Create a script like :

 % cat /etc/NetworkManager/dispatcher.d/40-arp 
 #!/bin/bash
 arp -f /etc/ethers

All scripts in the above folder will be executed every time an interface gets up, as long as you give it executable rights :

% chmod +x /etc/NetworkManager/dispatcher.d/40-arp

Now, either execute it directly or unplug / plug back in your interface. You should have a permanent static MAC address now, effectively bypassing the ARP protocol and its weaknesses :

% arp -a -n
? (172.16.100.254) at 00:15:17:9d:d6:d1 [ether] PERM on eth0

Voilà! Should you not use NetworkManager for some reason, you can do something equivalent with ifup scripts in respect with the syntax of you current Linux distribution.

But, let me stress it out once more, to be sure you don’t get me wrong :

Despite an enhancement, this is no a sufficient protection and you may still get pwned ! Authentication and encryption MUST also come into the play, so use only TLS enabled services, HTTPS sites and, ideally, a good IPSEC / SSH / TLS tunnel to carry ALL of your traffic !