ARPWATCH listens for ARP communication in the broadcast domain and records the relationship between the IP address of each device and the MAC address. When the IP address changes, it sends an email notification.
A common sign of ARP attacks is that the gateway's MAC address changes.
Of course, ARPWATCH is not omnipotent. Generally, the server where you install arpwatch cannot always receive arp events from the entire network. To fully listen, you have to perform Port Mirroring on the switch.
In addition, the attack packet is sent to the router. If no port image is supported at the proper location, no information is received, and no attack can be found.
####################
# ARP attack Monitoring and Handling
####################
# System environment: CentOS 5.2
#
# Installing arpwcoo
Yum-y install arpwatch
# Automatic start of devices
Chkconfig arpwatch on
# Start The arpwatch service
Serivce arpwatch start,/etc/init. d/arpwatch start
# Setting arpwatch
Vi/etc/sysconfig/arpwatch
#-U: defines with what user id arpwatch shold run
#-E: the where to send the reports
#-S: the-address
OPTIONS = "-u pcap-e-s 'root (Arpwatch )'"
Obtain the mac address through arping query.
# Traverse MAC addresses in a VLAN
#! /Bin/bash
For I in 'seq 254 '; do
Arping-c2 210.51.44. $ I | awk '/Unicast reply from/{print $4, $5}' | sed's/[// | sed s/] //'
Done
Alarm example:
Hostname: <unknown>
Ip address: 210.51.44.1
Ethernet address: 0: 0: 24: 5b: bb: ac
Ethernet vendor: CONNECT
Old ethernet address: 0: B: bf: 29: d0: 56
Old ethernet vendor: Cisco Systems
Timestamp: Sunday, December 7, 2008 14:46:34 + 0800
Previous timestamp: Sunday, December 7, 2008 14:46:34 + 0800
Delta: 0 seconds
The MAC that knows the gateway is correct is 0: B: bf: 29: d0: 56, So 0: 0: 24: 5b: bb: ac is the attacker's MAC address (note that the MAC address can also be changed ). Use arping to traverse the IP addresses of the same network segment, obtain the MAC list, and then grep out the mac ip address. You can save the MAC address table and use it next time. Of course, to ensure that this file is correct, you still need to keep it updated.