2

I am planning to develop a Ruby script that detects ARP spoofing attacks on a local network, I have a few questions about it. There are three scenarios I am taking into consideration:

  • First idea as always is a basic idea. 
If ARP poisoning is performed, my packets are flowing to the attacker and from there to the router. The router’s MAC address in my ARP table will be the attacker's. In this situation, there will be a duplicate MAC address in the ARP table with a different IP. So, I plan to read the ARP table with sub-procces (ARP -a), if there are any duplicate mac addresses, I assume ARP spoofing is done to me. But this is very simple and an inadequate solution.

  • If the intruder wants only to cut me off the internet connection. He/She can bypass this protection (my script :)) by sending ARP packet only to the router and say 'victim’s MAC address is this', and send a fake MAC address to the router pretending to be me. Then there will be no duplicate entry in my ARP table for me to detect. What I think to do is send everyone in the network ICMP, collect the original MAC addresses, and then match them with the MAC addresses in the ARP table.

  • What I wrote above is not enough. My plan is to detect attacks in the network but the intruder may not do anything to me and instead send the ARP packets to another machine on the network. I do not know exactly what to do with this situation, I have a an idea but I am not sure, I have a few question about this scenario: Are all ARP packets broadcast? Can I listen to all ARP packets on the network? Can I access the router's ARP table?

I did not find the exact answer to these questions, I need your advice :).

How do I handle this problem with Ruby? Where should I look?

MiaoHatola
  • 2,284
  • 1
  • 14
  • 22
Fatih Altuntaş
  • 121
  • 1
  • 1
    Does it have to be in Ruby? Ruby may not give you the ability to listen to low level network traffic natively - nless you use libraries such as rubypcap. – ndrix Apr 05 '17 at 00:36
  • yes it have to,no other language option – Fatih Altuntaş Apr 05 '17 at 00:44
  • 2
    You are mixing up programming language and OS specific things (use of ruby *"Can I listen to all arp packets in the network"*), with general questions on how things work inside a network (*"Can I access router arp table"* - usually not) with a misunderstanding in how ARP spoofing will affect your system. At most the last part is related to security, everything else is off-topic here. Therefore marked as primarily off-topic. – Steffen Ullrich Apr 05 '17 at 04:12
  • 1
    @FatihAltuntaş on your second point, assuming you're using the same client machine(s) all the time, you could investigate static ARP entries to prevent the attacker overwriting the entry on the router for your client. On the first point perhaps look at https://rubygems.org/gems/arp/versions/0.0.1 then just generate some code which looks for changes in the output and alert appropriately. On the third point, if you control the network and your hardware supports it you could setup a span port to view all traffic on the LAN then use your point 1 code to keep an eye for odd changes. – Rory McCune Apr 05 '17 at 07:40
  • I have another solution for third point,İf I can send arp replay packet to router Stronger than intruder,poising router direct all local packet to me,After investigate this packets, ı will extract all ip->mac pair information all packets.Simultaneously as are my second point , Send network icmp packet all local network, then gather original ip->mac pairs from icmp reply packet,After this I will consider both ip-mac pairs ,I will observe Inconsistent,then I can say there is Arp pointing attack in my local network, it is possible,ı mean, this only idea now,I have not tried, but I will try – Fatih Altuntaş Apr 06 '17 at 06:31

0 Answers0