From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Surda Date: Thu, 20 Oct 2005 22:19:10 +0000 Subject: Re: [LARTC] arp flood (offtopic?) Message-Id: <20059210191025342@mail.routehat.org> List-Id: References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> In-Reply-To: <032b01c5d4bb$a8837ed0$020c0c0a@admin> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" wrote: >Hi guys, Hi, >Sorry if this is a little offtopic, but I was wandering what can one do to >prevent/stop arp flooding ? As Carl-Daniel already said, the proper way to do this is to clean all the machines from worms. I have some tips on how to do this. I am the author of ASPE (Automatic Secu= rity Policy Enforcement), and two of it's modules are quite useful for this: aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a part of a whole linux distribution so using it on another distributions isn= 't straightforward, but fortunately, you don't have to run ASPE on a router, j= ust put it on some old box (Pentium I with 64MB RAM and one network card should= be sufficient) somewhere on the LAN. During the last 2 months there has been a substantial rewrite to make ASPE = more configurable, which had also the effect that it is more complex to setup. Complete and current configuration docs are available here: http://docs.shurdix.org/aspe:config , but there are no examples yet which m= akes it difficult to understand. There is also a short intro, but only in German: http://shurdeek.shurdix.org/tmp/ASPE.pdf So I'll post some info here, I hope people won't mind because in my experie= nce a lot of sites have this problem and I have been working on ASPE for about 2 = years now so it's been tested in action. It's licensed under GPL. ASPE works like this: there are modules (4 at the moment) and they detect s= tuff (both active and passive) and you can define actions it should do when a ce= rtain amount (per IP) of them occurs. The 2 modules for the mentioned problem are: aspe.arpflood: detects computers that are looking for computers that don't exist. It uses PCAP to capture ARP requests. ARP request look like this: who has A tell B This tells us 2 things: A is looking for B, and a exists. Next time it sees something like who has B tell C won't be considered as a part of flood because it remembers that B exists (= IPs time out after one day of inactivity) If a computer has been constantly looking for non-existing computers for a substantial amount of time (configurable) it is considered to be flooding. = It is able to catch worms that scan the network slowly as well. aspe.vulncheck: looks for windows computer that are not patched against sas= ser. It has very low overhead (both CPU and network), as large parts are passive= , but high effectiveness. the actions are: (these work without any requirements): - send an email to admin - notify the computer via winpopup - execute an external program (these work only when you use Shurdix' user management) - send an email to the owner of the computer - block/unblock internet access If you can hack up a script that blocks the correct switch port, you can us= e the "exec", if not, you can use "mailadmin" (the triggers are not exclusive so = you can use both at the same time too). Here is what the config could look like= in your situation: /etc/syconfig/aspe.vulncheck: dev=3Deth0 # don't scan more frequently than once an hour maxfreq600 action_vulnerable_timeout=86400 action_patched_timeout=86400 # notify him/her constantly if vulnerable action_vulnerable_notifyperson_count=3D* action_vulnerable_notifyperson_method=3Dwinpopup action_vulnerable_notifyperson_msg=3DYour computer is vulnerable to the Sas= ser Worm. Please visit http://windowsupdate.microsoft.com and update your syste= m. # thank if patched (don't worry, this will REALLY only be triggered once, n= ot # everytime the computer connects to the network :-)) action_patched_notifyperson_count=3D1 action_patched_notifyperson_method=3Dwinpopup action_patched_notifyperson_msg=3DThank you for updating your system and ke= eping our network safe. /etc/sysconfig/aspe.arpflood: #if you want to ignore some computers uncomment next line #ignore=3D1.2.3.4 dev=3Deth0 # 24 hours action_arp_timeout=86400 # 3 per minute action_arp_mtba=20 # after about 10 minutes it's a flood action_arp_inform_count0 action_arp_inform_method=3Dmailadmin action_arp_inform_subj=3Daspe.arpflood report action_arp_inform_msg=3D$ip is flooding # if you have a script that blocks the switch: action_arp_kickhim_count0 action_arp_kickhim_method=3Dexec action_arp_kickhim_exec=3D/root/kickhim.sh $ip /etc/sysconfig/mail: sender=3Dwho@you.want.the.mails.to.be.coming.from root=ADmin@email.address # if you need a relay uncomment following line #relay=3D1.2.5.6 For monitoring, grep logs for "aspe", every hit of a defined trigger is log= ged (which is usually different from "every occurence of a problem"). I hope it helps and isn't too confusing. If you have questions, I recommend= you post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3D3 (you= can post in English of course). >Thanks, > >Alex Yours sincerely, Peter --=20 http://www.shurdix.org - Linux distribution for routers and firewalls _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc