DIY DNS/ARP Spoofing Detection

draft on-going - this produces too many files. We need a more elegant way to track and handle the ARPs

Warning

Instead of actively searching for peers with nmap as shown in the script below, you might want to do that on a gateway instead. In an case you will get only a defined subnet. We are not monitoring the whole LAN.

Also this is not live monitoring. The cron job may be setup at a five minute rate or so (even though the scan itself takes a few seconds and depending on the scan method chosen in the script).

The arp -a command also does name resolution (static and dynamic), so we can check against both DNS and ARP cache poisoning at once.

Requirement

First, you need to make sure you will receive the output of crontab as messages.

tail -F /var/log/mail.log
tail -F /var/log/maillog
date | mail -s `hostname` root

Install

Prepare a first shot

mkdir -p $HOME/arp/
cd $HOME/arp/
arp -a | sort > `date +%s`

get the script up and running in a cron job

cd ~/bin/
wget http://pub.nethence.com/bin/arpcheck.ksh.txt
cp -i arpcheck.ksh.txt arpcheck.ksh
chmod +x arpcheck.ksh
vi arpcheck.ksh

subnet=x.x.x.x/xx

and check

$HOME/bin/arpcheck.ksh

Automate

crontab -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin
*/5     *       *       *       *       /root/bin/arpcheck.ksh

Resources

What are the reasons for seeing an incomplete ARP? https://networkengineering.stackexchange.com/questions/50843/what-are-the-reasons-for-seeing-an-incomplete-arp


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml