Re: [LARTC] arp flood (offtopic?)

From: Peter Surda <surda@shurdix.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] arp flood (offtopic?)
Date: Thu, 20 Oct 2005 22:19:10 +0000	[thread overview]
Message-ID: <20059210191025342@mail.routehat.org> (raw)
In-Reply-To: <032b01c5d4bb$a8837ed0$020c0c0a@admin>

On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" <alex@hostingcenter.ro> wrote:

>Hi guys,
Hi,

>Sorry if this is a little offtopic, but I was wandering what can one do to
>prevent/stop arp flooding ?
As Carl-Daniel already said, the proper way to do this is to clean all the
machines from worms.

I have some tips on how to do this. I am the author of ASPE (Automatic Security
Policy Enforcement), and two of it's modules are quite useful for this:
aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a
part of a whole linux distribution so using it on another distributions isn't
straightforward, but fortunately, you don't have to run ASPE on a router, just
put it on some old box (Pentium I with 64MB RAM and one network card should be
sufficient) somewhere on the LAN.

During the last 2 months there has been a substantial rewrite to make ASPE more
configurable, which had also the effect that it is more complex to setup.
Complete and current configuration docs are available here:
http://docs.shurdix.org/aspe:config , but there are no examples yet which makes
it difficult to understand. There is also a short intro, but only in German:
http://shurdeek.shurdix.org/tmp/ASPE.pdf

So I'll post some info here, I hope people won't mind because in my experience a
lot of sites have this problem and I have been working on ASPE for about 2 years
now so it's been tested in action. It's licensed under GPL.

ASPE works like this: there are modules (4 at the moment) and they detect stuff
(both active and passive) and you can define actions it should do when a certain
amount (per IP) of them occurs. The 2 modules for the mentioned problem are:

aspe.arpflood: detects computers that are looking for computers that don't
exist. It uses PCAP to capture ARP requests. ARP request look like this:
who has A tell B
This tells us 2 things: A is looking for B, and a exists. Next time it sees
something like
who has B tell C
won't be considered as a part of flood because it remembers that B exists (IPs
time out after one day of inactivity)
If a computer has been constantly looking for non-existing computers for a
substantial amount of time (configurable) it is considered to be flooding. It is
able to catch worms that scan the network slowly as well.

aspe.vulncheck: looks for windows computer that are not patched against sasser.
It has very low overhead (both CPU and network), as large parts are passive, but
high effectiveness.

the actions are:
(these work without any requirements):
- send an email to admin
- notify the computer via winpopup
- execute an external program
(these work only when you use Shurdix' user management)
- send an email to the owner of the computer
- block/unblock internet access

If you can hack up a script that blocks the correct switch port, you can use the
"exec", if not, you can use "mailadmin" (the triggers are not exclusive so you
can use both at the same time too). Here is what the config could look like in
your situation:

/etc/syconfig/aspe.vulncheck:
dev=eth0
# don't scan more frequently than once an hour
maxfreq600

action_vulnerable_timeout†400
action_patched_timeout†400

# notify him/her constantly if vulnerable
action_vulnerable_notifyperson_count=*
action_vulnerable_notifyperson_method=winpopup
action_vulnerable_notifyperson_msg=Your computer is vulnerable to the Sasser
Worm. Please visit http://windowsupdate.microsoft.com and update your system.

# thank if patched (don't worry, this will REALLY only be triggered once, not
# everytime the computer connects to the network :-))
action_patched_notifyperson_count=1
action_patched_notifyperson_method=winpopup
action_patched_notifyperson_msg=Thank you for updating your system and keeping
our network safe.

/etc/sysconfig/aspe.arpflood:
#if you want to ignore some computers uncomment next line
#ignore=1.2.3.4

dev=eth0

# 24 hours
action_arp_timeout†400

# 3 per minute
action_arp_mtba 

# after about 10 minutes it's a flood
action_arp_inform_count0
action_arp_inform_method=mailadmin
action_arp_inform_subj=aspe.arpflood report
action_arp_inform_msg=$ip is flooding

# if you have a script that blocks the switch:
action_arp_kickhim_count0
action_arp_kickhim_method=exec
action_arp_kickhim_exec=/root/kickhim.sh $ip

/etc/sysconfig/mail:
sender=who@you.want.the.mails.to.be.coming.from
rootmin@email.address
# if you need a relay uncomment following line
#relay=1.2.5.6

For monitoring, grep logs for "aspe", every hit of a defined trigger is logged
(which is usually different from "every occurence of a problem").

I hope it helps and isn't too confusing. If you have questions, I recommend you
post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3 (you can
post in English of course).

>Thanks,
>
>Alex
Yours sincerely,
Peter

-- 
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc