1

I have seen products like CUJO (https://www.getcujo.com) and Firewalla (https://firewalla.com/) doing ARP spoofing for network filtering and device blocking.

As far as know, simplest way to reproduce same situation is to use arpspoof. I have tested this, and it works only partically. I mean it does indeed redirect traffic from victim (test Macbook) to gateway (Asus router) and vice versa. Pings are working fine between both. But upon entering any website from the internet, it is loading so slowly that it is impossible to work with it. arpspoof sends 2 gratuitous ARP packets (1 for victim, one for gateway) each 2 seconds.

I was wondering how does CUJO and Firewalla work with unvisible performance drop, if home-made tests using arpspoof are not working as expected?

(Yes I have packet forwarding enabled within /proc/sys/net/ipv4/ip_forward)

Setup:

  • Victim = Macbook Air (192.168.10.34) (connected via WiFi)
  • Attacker = HP notepad with Debian 9 (192.168.10.48) on Gigabit port
  • Router (Asus) = (192.168.10.1)

I have tested my Android phone aswell with WiFi, and same thing, internet pages are opening very slowly if not at all.

RedS
  • 76
  • 5
  • 1
    Have you looked into a wireshark session if the attacker is even sending the packets? – Cyberduck Jan 14 '19 at 00:17
  • So ARP spoofing worked, but too slow? Did attacker, receive traffic originating from Victim? Without ARP hijack, does it work fine? Run packet trace on both victim and attacker, and see if you find something interesting. And do confirm hijack by verifying ARP tables. –  Jan 14 '19 at 11:56
  • The packets are sent to victim fine, but there are a lot of packets retransmissions. I was thinking maybe it is because arpspoof sends ARP packets each 1 second which is too much? Maybe higher interval like 10-20 seconds will be better? – RedS Jan 15 '19 at 22:32

1 Answers1

0

Have you checked if the ARP table is updated on the Asus router? It could be that the router ignores the arp requests.

What router do you have? Have you flashed it with some custom firmware?

You can also check the arp table on your Macbook Air using the command: arp -a # to see if it has been updated.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Zack
  • 1