Mailinglist Archive: opensuse-security (616 mails)
| < Previous | Next > |
RE: [suse-security] What to do against ARP-Poisoning?
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Mon, 18 Mar 2002 13:10:41 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56E0C@xxxxxxxxxxxxxxxxx>
> I thought about prevention of ARP-Poisoning and came up with
> the following
> ideas:
The question here to me is what you are trying to accomplish. I can see a
couple of things resulting from ARP poisoning in the subnet your server is
in. I can see others mimicking your web site and tricking visitors this way.
I can also see a complete denial of service against your server. One other
possibility is that they could mimic your path of administration as well and
thereby learning, e.g. your user password from a telnet session across their
machine.
One thing you need to be aware of is that measures against arp poison on
your host alone won't really help a lot, you need to at least protect the
router as well to avoid most problems. Since you probably have no influence
on the router, you're left with the following answers to the problems I saw:
1. Pretend web site: This one can be solved by using an SSL server
certificate for your WWW server name. It breaks if someone is successful in
acquiring a certificate that a visitor of yours will accept.
2. Denial of Service: You need a static arp entry on the router to prevent
this. A rogue host on the same subnet as your host can probably DoS it in a
variety of other ways, though. This kind of thing becomes evident very
quickly and it is very easy to trace the source of the attack, though, so I
don't think the risk is that high. If you're scared of this kind of thing,
you need to take the server to a network of your own.
3. Hack the admin: Don't use telnet, FTP or any other clear-text protocols.
If using SSH, use Strict Modes and public key authentication in favour of
passwords.
Cheers
Tobias
> the following
> ideas:
The question here to me is what you are trying to accomplish. I can see a
couple of things resulting from ARP poisoning in the subnet your server is
in. I can see others mimicking your web site and tricking visitors this way.
I can also see a complete denial of service against your server. One other
possibility is that they could mimic your path of administration as well and
thereby learning, e.g. your user password from a telnet session across their
machine.
One thing you need to be aware of is that measures against arp poison on
your host alone won't really help a lot, you need to at least protect the
router as well to avoid most problems. Since you probably have no influence
on the router, you're left with the following answers to the problems I saw:
1. Pretend web site: This one can be solved by using an SSL server
certificate for your WWW server name. It breaks if someone is successful in
acquiring a certificate that a visitor of yours will accept.
2. Denial of Service: You need a static arp entry on the router to prevent
this. A rogue host on the same subnet as your host can probably DoS it in a
variety of other ways, though. This kind of thing becomes evident very
quickly and it is very easy to trace the source of the attack, though, so I
don't think the risk is that high. If you're scared of this kind of thing,
you need to take the server to a network of your own.
3. Hack the admin: Don't use telnet, FTP or any other clear-text protocols.
If using SSH, use Strict Modes and public key authentication in favour of
passwords.
Cheers
Tobias
| < Previous | Next > |