How do YOU safeguard yourself from mitm/mitb attacks?

Data that travels over the air and how to protect (or decipher) it

Re: How do YOU safeguard yourself from mitm/mitb attacks?

Post by thetan on Sun Oct 24, 2010 9:26 pm
([msg=48053]see Re: How do YOU safeguard yourself from mitm/mitb attacks?[/msg])

all office systems at work use static ARP, static IPs (only clients get DHCP, because we care about them MiTM'ing each other less). Also, we implement port security on all ports on switches connected to our office systems (super pain in the ass). It's good to remember to disable ICMP redirection too.

Static ARP prevents ARP Poisoning MiTM (and saves minor bandwidth), Static DHCP prevents MiTM from DHCP spoofing (also saves minor bandwidth), Port security protects office systems from CAM smashing reversion half-duplex MiTM attacks as well as Port Stealing MiTM attacks (fucking annoying as shit to maintain).

ARP is the most common attack vector, because it's easy and fast. DHCP spoofing is essentially just as easy (especially when a DHCP exhaustion attack is ran on the main DHCP server first), Port stealing is less known of and exploits the CAM routing algorithms used by level 2 switches to think that a victim computer is connected to the attackers port on the switch and CAM smashing is the flooding of the CAM tables in a switch, causing it to revert to act like a HUB and broadcast all received data out to all ports.
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: How do YOU safeguard yourself from mitm/mitb attacks?

Post by l3ane on Sun Jan 02, 2011 5:59 am
([msg=51530]see Re: How do YOU safeguard yourself from mitm/mitb attacks?[/msg])

In addition to what was said above, you can try ARPon.

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.


Or if you're using windows I seen this little app on irongeek's site called DecaffinatID, which I made a small post about on my blog - http://hakhub.blogspot.com/2010/12/irongeeks-decaffeinatid.html

Doesn't even compare to ARPon though, but it does alert you. I thought it was a nice addition to my IDS though.
User avatar
l3ane
New User
New User
 
Posts: 4
Joined: Sat Oct 30, 2010 10:40 pm
Blog: View Blog (0)


Previous

Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests

cron