Re: Windows dynamic ARP

[Christoph Mayer <mayer () tm uka de>]

> > Unfortunately XArp can't really 'filter' (drop) the packets, but alert you.
>
> I am sure you will correct me Chris (You did write the tool after all
> ;-) but I was under the impression the requestedresponse filter
> actually dropped a response to the host Xarp is running on if the host
> didn't issue an arp request ?

Unfortunately I was not able to write an NDIS driver for Windows that 
could really "drop" packets. The name of the filters might be a bit 
misleading, but it is stated clearly in the manual etc. As my first 
intent was to really drop packets, the names of the filters did arise.

> > I am currently working on a Linux port where writing a network driver for
>
> wouldn't arptables
> http://ebtables.sourceforge.net/arptables-man.html
> be able to handle the linux side of things ?

I will look into this. The XArp filters work very much on dynamic data, 
therefore pure static tables don't quite fit into the design. For 
example the requestedresponse filter keeps state of requests and these 
have to time out after some seconds. I think that's quite hard to 
implement using static tables.

> > If you want to get an overview of mechanisms available for ARP attack
> > detection, you can have a look at a (yet incomplete) presentation I once
> > started: http://www.chrismc.de/development/xarp/arp_security_tools.html
> > (http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)
>
> You could also possibly include Cisco's Dynamic Arp Inspection (DAI)
> in your line up of products. Sounds good on paper....

Thanks, I will include this!

Best regards,
Chris

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards