On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" <alex@xxxxxxxxxxxxxxxx> wrote: >Hi guys, Hi, >Sorry if this is a little offtopic, but I was wandering what can one do to >prevent/stop arp flooding ? As Carl-Daniel already said, the proper way to do this is to clean all the machines from worms. I have some tips on how to do this. I am the author of ASPE (Automatic Security Policy Enforcement), and two of it's modules are quite useful for this: aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a part of a whole linux distribution so using it on another distributions isn't straightforward, but fortunately, you don't have to run ASPE on a router, just put it on some old box (Pentium I with 64MB RAM and one network card should be sufficient) somewhere on the LAN. During the last 2 months there has been a substantial rewrite to make ASPE more configurable, which had also the effect that it is more complex to setup. Complete and current configuration docs are available here: http://docs.shurdix.org/aspe:config , but there are no examples yet which makes it difficult to understand. There is also a short intro, but only in German: http://shurdeek.shurdix.org/tmp/ASPE.pdf So I'll post some info here, I hope people won't mind because in my experience a lot of sites have this problem and I have been working on ASPE for about 2 years now so it's been tested in action. It's licensed under GPL. ASPE works like this: there are modules (4 at the moment) and they detect stuff (both active and passive) and you can define actions it should do when a certain amount (per IP) of them occurs. The 2 modules for the mentioned problem are: aspe.arpflood: detects computers that are looking for computers that don't exist. It uses PCAP to capture ARP requests. ARP request look like this: who has A tell B This tells us 2 things: A is looking for B, and a exists. Next time it sees something like who has B tell C won't be considered as a part of flood because it remembers that B exists (IPs time out after one day of inactivity) If a computer has been constantly looking for non-existing computers for a substantial amount of time (configurable) it is considered to be flooding. It is able to catch worms that scan the network slowly as well. aspe.vulncheck: looks for windows computer that are not patched against sasser. It has very low overhead (both CPU and network), as large parts are passive, but high effectiveness. the actions are: (these work without any requirements): - send an email to admin - notify the computer via winpopup - execute an external program (these work only when you use Shurdix' user management) - send an email to the owner of the computer - block/unblock internet access If you can hack up a script that blocks the correct switch port, you can use the "exec", if not, you can use "mailadmin" (the triggers are not exclusive so you can use both at the same time too). Here is what the config could look like in your situation: /etc/syconfig/aspe.vulncheck: dev=eth0 # don't scan more frequently than once an hour maxfreq=3600 action_vulnerable_timeout=86400 action_patched_timeout=86400 # notify him/her constantly if vulnerable action_vulnerable_notifyperson_count=* action_vulnerable_notifyperson_method=winpopup action_vulnerable_notifyperson_msg=Your computer is vulnerable to the Sasser Worm. Please visit http://windowsupdate.microsoft.com and update your system. # thank if patched (don't worry, this will REALLY only be triggered once, not # everytime the computer connects to the network :-)) action_patched_notifyperson_count=1 action_patched_notifyperson_method=winpopup action_patched_notifyperson_msg=Thank you for updating your system and keeping our network safe. /etc/sysconfig/aspe.arpflood: #if you want to ignore some computers uncomment next line #ignore=1.2.3.4 dev=eth0 # 24 hours action_arp_timeout=86400 # 3 per minute action_arp_mtba=20 # after about 10 minutes it's a flood action_arp_inform_count=30 action_arp_inform_method=mailadmin action_arp_inform_subj=aspe.arpflood report action_arp_inform_msg=$ip is flooding # if you have a script that blocks the switch: action_arp_kickhim_count=30 action_arp_kickhim_method=exec action_arp_kickhim_exec=/root/kickhim.sh $ip /etc/sysconfig/mail: sender=who@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root=admin@xxxxxxxxxxxxx # if you need a relay uncomment following line #relay=1.2.5.6 For monitoring, grep logs for "aspe", every hit of a defined trigger is logged (which is usually different from "every occurence of a problem"). I hope it helps and isn't too confusing. If you have questions, I recommend you post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3 (you can post in English of course). >Thanks, > >Alex Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
