IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Session Hijacking

From: Dragos Ruiu <dr () kyx net>
Date: Wed, 9 Mar 2005 20:42:36 -0800
On March 8, 2005 05:23 am, Angel L Rivera wrote:

Hate to plead ignorance but can you elaborate a little - not familiar with
this control and how to set it up - can you give an example. If you think
it is out of scope for this discussion list just reply to me.  Thanks.

-----Original Message-----
From: Dragos Ruiu [mailto:dr () kyx net]
Sent: Tuesday, March 08, 2005 2:53 AM
To: Angel L Rivera; 'Mike Frantzen'; 'Terry Ray'
Cc: focus-ids () lists securityfocus com
Subject: Re: Session Hijacking

P.s. Static permanent arp entries for at least some "important" servers
and gateways in your network is something I counsel all to seriously
consider. This intermediate step is not that much work given the many
security benefits it brings.


The example (and MS caveat was in the previous message):

On March 7, 2005 11:04 pm, Dragos Ruiu wrote:

You can even extend this to host workstations, whereby ip->mac
address assignments are preassigned, e.g.:

/usr/sbin/arp -s 1.2.3.4 00:01:02:03:04:05:06 permanent

Older MS OSes used to let permanent entries be overwritten by
gratuitous arp's but I think this has been fixed in more recent releases.


You may have to delete the existing arp table entry before adding the
permanent one using:

/usr/sbin/arp -d 1.2.3.4

This is the OpenBSD/NetBSD semantics...

For Linux, FreeBSD and OSX you set up permanent entries by NOT including 
the keyword "temp" instead of the "permanent" keyword.

Look at the man page for the arp command and that will get you pointed in 
the right direction. Adding these addresses for important boxes hardwired
to local start up scripts will remove some possibility for "games."

For Win32 just use: arp -s 1.2.3.4 00:01:02:03:04:05:06
(I dont think Win32 lets you set up temp entries afaik)

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: