Firewall Wizards mailing list archives
Re: Windows dynamic ARP
From: Christoph Mayer <mayer () tm uka de>
Date: Fri, 09 Jan 2009 09:04:24 +0100
Unfortunately XArp can't really 'filter' (drop) the packets, but alert you.I am sure you will correct me Chris (You did write the tool after all ;-) but I was under the impression the requestedresponse filter actually dropped a response to the host Xarp is running on if the host didn't issue an arp request ?
Unfortunately I was not able to write an NDIS driver for Windows that could really "drop" packets. The name of the filters might be a bit misleading, but it is stated clearly in the manual etc. As my first intent was to really drop packets, the names of the filters did arise.
I am currently working on a Linux port where writing a network driver forwouldn't arptables http://ebtables.sourceforge.net/arptables-man.html be able to handle the linux side of things ?
I will look into this. The XArp filters work very much on dynamic data, therefore pure static tables don't quite fit into the design. For example the requestedresponse filter keeps state of requests and these have to time out after some seconds. I think that's quite hard to implement using static tables.
If you want to get an overview of mechanisms available for ARP attack detection, you can have a look at a (yet incomplete) presentation I once started: http://www.chrismc.de/development/xarp/arp_security_tools.html (http://www.chrismc.de/development/xarp/Securing_ARP_0_2_0.pdf)You could also possibly include Cisco's Dynamic Arp Inspection (DAI) in your line up of products. Sounds good on paper....
Thanks, I will include this! Best regards, Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Windows dynamic ARP James (Jan 08)
- Re: Windows dynamic ARP Christoph Mayer (Jan 15)