Arp Antispoofer

[sulasno]

I live in a rented apartment where Internet access is provided via LAN;

There were times where I could logon to the LAN but unable to access the Internet; I was told that someone in the network may be using "Net cut" to cut my Internet access; whereby he/she could access the Internet faster; it's a myth that by disallowing others to connect to the Internet the access would be faster since all access are capped at 256/256 at the user's level. There are another 2 applications to counter it; one that is not free (but stopped development) and another one (that calls home); but in the end I settle for Net cut. In retaliation, when I find that someone is using Net cut, I would use it to stop all access to the Internet and somehow the culprit would generate a new connection with a new IP to access the Internet. I would monitor any new IPs and stopped them from accessing the Internet. I have spoken to the management and mentioned that it is their responsibilities to find the wrong doer and protect their server being arp spoofs; but it fell on deaf ears. I also mentioned that it is a crime under Thailand for anyone to disrupt Internet connections and may be both fine and jail if found guilty.

Guessing the guy who runs the server has limited knowledge, can anyone suggest a arp antispoofer for a linux system ?

[bobo42]

I'm not a net expert, but I know a fair bit, to my knowledge following is correct.

AFAIK, Netcut is just an ARP spoofer. Some boneheads made an easy app for Windows so idiots can use it for DoS attacks on the networks they plug into without knowing what they are doing.

The only proper way to prevent ARP attacks on the network at the shared switch itself. Obviously, you don't have control over this, so in the end, so most likely this will end in an ARP arms race between you and the attackers until the entire network is flooded with conflicting ARP requests.

You could try setting static ARP on your own machine. Find your gateway's proper IP and MAC, and set them statically in the ARP table on your machine. This is problematic if you connect to the gateway via DHCP, since your IP may change, and then your static ARP table will be wrong and you'd have to reset it. Also, this would only protect your machine, if switch itself is being spoofed as well - which it probably is, your still screwed (ie - your packets are sent to the proper MAC on the switch, but the switch sends replies to nowhere). Depending on the switch setup and the specific way the attackers software works, this might solve your problem.

You could also try filtering ARPs on your machine, only listening and responding to ARPs from the switch MAC address.

The nuclear option. Send correct ARPs from your machine to the switch at a higher rate than the attackers are sending. That's the only way I can think of to "combat" the problem on the switch side without having control over the switch itself.

This is really a problem with the switch management, so all you can do is find ways to minimize. Google "arp spoofing", "arp flooding", and "arp filtering" for some background info.

[siamect]

Ettercap can do it I guess... or Wireshark?? but it is more an analyzer.

But hey! Don't do anything stupid... Keep your hat white, hacker...

...when I find that someone is using Net cut, I would use it to stop all access to the Internet and somehow the culprit would generate a new connection with a new IP to access the Internet. I would monitor any new IPs and stopped them from accessing the Internet...

... it is a crime under Thailand for anyone to disrupt Internet connections and may be both fine and jail if found guilty.

[astral]

We seem to be treading a fine line here.

Time to close the topic.

Continue by PM if needed.