Prevent ARP spoofing with dynamic static entry on Linux

Question

ARP spoofing detection/prevention seems to be quite popular here. With other techniques like port stealing aside, I'm wondering if the following could work to prevent it:

Whenever my Linux workstation gets network connection, I could auto-add a static ARP entry designated with the MAC address of the default gateway as obtained at that moment. (Supposedly, gateway NICs don't just change their MACs afterwards.)

Implemented as something to the like of the following script which can be put into /etc/network/if-{up,down}.d on a Debian-based GNU/Linux (or in /etc/NetworkManager/dispatcher.d wherever that is used):

#!/bin/sh

# If not Debian, account for NetworkManager's dispatcher.d
IFACE="${IFACE:-$1}" MODE="${MODE:-$2}"

# Support eth/wlan/wwan interfaces
case "$IFACE" in en*|eth*|wl*|ww*) ;; *) exit 0; esac

neighbors="/run/ifup.$(basename "$0").$IFACE"

case "$MODE" in
    start|*up*)
        sleep 6
        arp -an -i "$IFACE" | cut -d' ' -f 2,4 | tr -d '()' > "$neighbors"
        while read host hwaddr; do arp -s $host $hwaddr; done < "$neighbors"
        ;;
    stop|*down*)
        [ ! -f "$neighbors" ] && exit 0
        while read host _hwaddr; do arp -d $host; done < "$neighbors"
        rm "$neighbors"
        ;;
esac

I guess there is a race condition right after the connection is established, but other than that, to secure the MAC of the default gateway if nothing else, would something lightweight like this work and work well enough to set it and forget it? Would it get in the way of wifi roaming? Are there any other considerations?

The whole idea strikes me as really brittle. It might be an interesting experiment to see what unexpected situations this might not work in. I can't come up with any off the top of my head, but the real world is often more complex than you might think. Frankly it doesn't really seem worth it to prevent rare instances of ARP spoofing, especially as a general solution for anyone not intimately familiar with low level networking. — Steve Sether, Nov 02 '15 at 15:58
In practice, I have been using it for a month now and haven't yet experienced issues, except that connection doesn't always establish in 6 seconds and thus ARP table is still empty when the gist of the script fires. — K3---rnc, Nov 02 '15 at 16:10
Or just use arpwatch and fail2ban (which might still expose a small window of opportunity) — symcbean, Nov 23 '15 at 23:46

score 3 · Answer 1 · edited Nov 23 '15 at 14:35

3

I did not analyse your script. However, it looks complex.

Why don't you use ARPtables? It's like IPtables, but for ARP.

Block ARP traffic from all machines (default: DENY)
arptables -P INPUT DROP

Allow router (fixed ARP)
arptables -A INPUT --source-mac d8:d7:21:22:5a:f4 -j ACCEPT

This way you will only exchange ARP packets with your router.

Source: http://linux-audit.com/filtering-arp-traffic-with-linux-arptables/

edited Nov 23 '15 at 14:35

Vilican

2,703
8
21
35

answered Nov 02 '15 at 15:38

Nate

411
3
9

1

First and foremost because I use a laptop and regularly connect to access points in living rooms, offices, cafés, ... not all I'd care to enumerate by MAC manually. Were it for a home router only, I could easily set up a static APR entry. – K3---rnc Nov 02 '15 at 15:44
Enumerating is the only "more secure" way of doing it. In a foreign environment there is no way (at the Ethernet layer) to know if a MAC address is a rogue or not. The only thing you could do is to detect the arp-spoofing symptoms. – Nate Nov 02 '15 at 16:05
I could assume whoever gave me a DHCP lease is legit, couldn't I? – K3---rnc Nov 02 '15 at 16:07
2

Under that assumption yes, it could work. But why wouldn't the rogue give it to you ? In the best case scenario it would be a race condition. At worst, the attacker would be using DHCP exhaustion and you would always receive his leases. – Nate Nov 02 '15 at 16:09

score 1 · Answer 2 · edited Nov 23 '15 at 14:38

Some time ago, I've been stucked with the same problem: preventing ARP spoofing.

Using the script you provide will work, until you connect to already spoofed network.

I mean, when you join a network, your SO will automaticaly add an ARP entry to the correct gateway with correct MAC address, but if in that right moment you receive an spoofed ARP packet, before you run your script, you will be trusting the fake MAC address.

It will be a bit harder since you're using the dispatcher.d, but ok.

The other approach that I took was to create a whitelist of MAC address for my common networks and a task to check by ARP table in order to see if my default gateway MAC address is in my trusted list. If not, just automatcally disconnect and notify me.

Prevent ARP spoofing with dynamic static entry on Linux

2 Answers2