However, the most damaging and severe attacks on universities database servers to well-known banking system have been caused by insider malicious users. There are many security solutions that provide protection against such type of attacks at firewall level with the assumption that an insider attack does not exist. The former attack affects the privacy of a network user, whereas the latter attack causes huge damage to networks in terms of unavailability of services.
It is possible that these spoofed packets will change IP to MAC mappings, which can be detected as well. In order to maintain a continuing attack, the attacker will send many spoofed packets, which can be counted. For an attacker to deny a victim service or to initiate a MITM attack, the attacker will need to provide a spoofed MAC address of the victim's gateway. This script leverages knowledge of DHCP transactions, a consistent state of ARP requests and replies, and other metrics in order to provide more accurate information regarding potential attacks. An attacker will need to send many of either type of spoofed packet in order to continue the attack (otherwise the victim will stop directing its traffic to an attacker-supplied location). This script checks for both gratuitous ARP packets which are unsolicited replies, as well as ARP requests sent many times with the same information. This is how the author describes it:Īn attacker using ARP spoofing as their method can either send gratuitous replies (which lie about an existing IP to MAC correspondence) or by sending many requests to one or more victims with spoofed sender hardware address and/or sender protocol address fields. It monitors ARP requests and replies for potential spoofing. There exists also a Bro script that passively detects ARP spoofing. use it to monitor for unknown (and as such, likely to be intruder's) mac adresses or somebody messing around with your arp_/dns_tables. Last know timestamp and change notification is included.
This software can run in deamon mode it's very fast (low CPU and memory consumption).
If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters. It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses.
Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation.