Hi, i wanted to stop ARP Poisoning so i switched to tomato-ND-1.28.7617-Toastman-K24-Std with the following basic setup: Client 1: 192.168.1.1 Client 2: 192.168.1.2 Router: 192.168.1.3 DHCP Range 192.168.1.3-192.168.1.3 (only 1 IP) Added all IPs/MACs to Static DHCP & ARP Binding Both "Enable ARP Binding" & "Limit unlisted machines" are checked now when i start Cain (from Client 1) & set a new ARP Poison Routing between Router(192.168.1.3) & Client 2(192.168.1.1) i can hijack the traffic. what am i doing wrong ?
I don't know CAIN but if your client is listed in the acceptable, or unlimited, table why would you not be able to hijack traffic? Wouldn't you need to try it with a machine that matches the limit criteria? Your client matches the unlimited criteria. Yes?
yes both clients are in the unlimited table .. i just assumed ARP binding will be applied to all. so i tried another test, i removed Client1 from both static DHCP & ARP binding then gave it static IP (192.168.1.4) now Client1 (192.168.1.4) can not ping or access the router (192.168.1.3) .. so far so good. then i tried Cain to hijack traffic between the router (192.168.1.3) & Client2 (192.168.1.2), unfortunately i was able to hijack the traffic.
Arp protocol is ancient, all based on honesty and trust, only way to avoid MIM attacks is physical security on LAN. Tomato router doesn't know it isn't talking to the client, client doesn't know it isn't talking to Tomato router.
I would say what you're doing wrong is letting a malicious program run on a trusted client on your network. All static ARP does is define which client ARP/IP combinations are valid, making it harder to add an undefined PC to your network. If you're on a defined trusted client then it's not going to prevent you from doing anything you want.
While all that may be true still isn't the issue is by restricted access to unlisted clients, he is NOT restricting access to listed clients. His test clients are all listed as unrestricted yes? Why would ARP do anything about what is happening with those safe or authorized clients. ARP only cares about "on the list" or "not on list".
Are these clients communicating on the LAN - i.e. using the switch ports? Can you get access to the internet? ARP binding on the router prevents unauthorized clients gaining access to the router or the internet using ARP spoofing. That is what is is supposed to do, no more, no less.
I guess I still don't get it. All ARP does is act like a stop/go light. It doesn't care what a client is doing. It only cares IF a client is restricted or unrestricted. Its is a very basic and gross form of security. So if you have a client that is on the unrestricted table/list, whether that table is in the router or in a client, how will that stop any unrestricted or unlimited client from acting rudely?
i don't have control over what users install/run on their machines. no they are all wireless. both clients can access the internet, but once i remove a client from ARP binding table then that client can not ping/access the router. router's IP/MAC already in the table .. do you mean i have to copy that table to all clients machines ?
jsmiddleton4, I think you get it. Either you get it or we both don't as I completely agree with your posts.
ARP cheat is to send a fake ARP response to the gateway and a client, so all packets between them will be sent to that malicious client. ARP binding is to create a correct ARP table, so the gateway and the clients will communicate according to the correct ARP entries in the table so as to avoid an ARP cheat.
Again all fine and true. But the testing being done in this original post is between clients IN the ARP table. He needs to get a client outside who he is telling is approved/unlimited/unrestricted. Yes?
TT76 - can you test this way. Put your machines in the static list as normal, enable ARP binding and also "restrict unlisted machines". Then change the IP of one of your machines, so it's now unlisted - it should then be excluded from internet access. Working or not? Probably not possible to prevent that fake response being sent to another machine on the LAN.
you have to use the command "arp -s <ip address> <mac address>" on windows to append a static arp entry, and you can create a batch file including these entries and setup it to run on windows startup automatically.
Bummer. In my home I do have the luxury of for the most part preventing anyone from running anything harmful and cutting them off if they do. If you don't, then If you have critical devices of your own on your core LAN and your clients are all wireless, you might want to take a look at this recent thread for ideas on segregating them off to a different VLAN to protect yourself. Allowing uncontrolled users access to your LAN is a risk I wouldn't want to take myself. If you want to provide wireless access either out of the goodness of your heart or for profit then fine, but I'd advise isolating them from your core network. Static ARP really only makes it more difficult for unknown clients to access your wireless network. If you've already given them access then not sure there is a point to enabling it and maybe just more work for you.
"If you've already given them access then not sure there is a point to enabling it and maybe just more work for you." That's the point Texas and I have been making. Once a client has access you aren't really testing anything other than the fact that ARP says they can have access. ARP is very rudimentary. Not useless. Just not all that fancy. So if you are trying to test if your ARP settings are keeping unwanted traffic/clients off your network, you have to use a client IP/MAC that ARP says is restricted. Any clients allowed through ARP must be trusted because the routers says they ARE trusted.
i did that test .. it's on the first page of this thread. a client that is not listed under ARP table will not have access to the router. i guess VLAN is the way to go. thank you all for your valuable input.
Then it's doing what it is supposed to do. It prevents access to the router and the internet when you change a client's IP address to one that is not bound to the MAC address in the table. It doesn't stop clients communicating with each other on the LAN. How could it ?
isn't this related to "Limit unlisted machines" option ? my problem is with ARP Poisoning/Spoofing, i thought by selecting "Enable ARP Binding" it will solve this
You see the words "the router" in there? Isn't that clear? Seems very clear to me. Why keep insisting on how you think it should work instead of how it is?
That only means that the router will ignore an ARP spoofing attempts and rely on it's tables. Again, the router static ARP helps to some extent as mentioned earlier in that a "rouge" computer can't just plug into your network and start talking immediately assuming it's MAC won't be in the router ARP table. But it does nothing to stop clients you have added to the table so are trusted. But IIRC all you need for ARP poisoning to work is for the other clients to respond. With clients on the same LAN, the router is just doing layer 2 forwarding based on MAC address. One client is free to query another for it's MAC and IP address and then assume that identity. You could also set up static MAC tables on your clients to extent that control to that level. But you'll need access and privileges to do so and also must assure that the clients don't have privileges to override that. As I understand it, you don't have this level of control on the client computers. So again, I think you're expecting more security from this approach than is achievable in your situation. There are higher end, much more expensive, routers that add various features designed to combat ARP spoofing such as DHCP snooping and dynamic ARP inspection but to my knowledge you will not find these features on consumer grade home routers today, even those with nice 3rd party firmware like Tomato.
great so we have a featureless feature. by the way thank you very much for the virtual network tip .. very convenient.
Although router static ARP won't do what you assumed or hoped it would, it does have benefits as has been described in this thread. With a bit of googling & reading about ARP poisoning, as I did to reply to your posts, you will find how ARP poisoning works as well as the benefits and limitations of router static ARP in this regard - on any router including high end Cisco data center gear, not just a Tomato home router. I understand it's been a frustrating exercise for you, but seems like a somewhat negative (and inaccurate IMHO) thing to say in a free forum in which developers participate, for freely available firmware that provides considerable enhanced functionality. I'm just saying, :smile:. Just my two cents, I'll get off my soapbox... As I said, I had to do a bit of reading to understanding this well enough to answer so as a result I understand it better than I did when this thread started so I got some benefit out it, so thanks! :biggrin: YW :wink:.
Yes, it's a featureless feature. It has absolutely no function, other than to restrict access to the both the internet and the router to people ("trusted" or otherwise) trying to evade controls by changing their IP address and MAC. No function at all, really. We just like to add pages that don't do anything for the fun of it :biggrin: Now can we lay this to rest?
