Protection against arp spoofing

chrisperry · January 1, 2012, 11:25am

Hi, I'm trying to find a way to protect my network against arp spoofing.

What it is:
An attacker sends fake arp packets in the network, identifying himself as the router. All network traffic is then redirected to this attacker.

How to protect myself:
In my opinion, the best possible protection is arptables firewall running on my router. But I'm not sure hot to set it up properly. It sholud be simillar to iptables, so I tried:

arptables -P INPUT DROP
arptables -P OUTPUT DROP
arptables -A INPUT -s 192.168.1.1 --source-mac MAC:OF:MY:ROUTER -j ACCEPT
arptables -A OUTPUT -d 192.168.1.1 --destination-mac MAC:OF:MY:ROUTER -j ACCEPT

So all arp packets are dropped (default policy DROP, first two lines) and only those coming from or to my router (= valid ones) are allowed.
But for some reason, my whole network collapses after executing this command. Any idea what is wrong?

Corona688 · January 2, 2012, 12:04pm

ARP packets aren't routed, they are local subnet traffic. So putting arptables on your gateway won't stop arp going anywhere else. This means an attacker would have to actually be on your local network to spoof arp, too.

If you do have some strange configuration where all arp must pass through your router and an attacker could attach to your local network from afar, there's a lot of important arp traffic that must be broadcasted, too, you can't cavalierly block everything except certain sources and destinations.

chrisperry · January 2, 2012, 7:05pm

There is only one router in that network, so all arp traffic is passing through it and it can be monitored and filtered.
Yes, the attacker must be on my local network, that's the idea. Arp spoofing is common on public hotspots, university networks etc.

But you are right, dropping all trafic is not a good solution.
Do you propose another protection?