RE: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020

From:	"Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>
To:	"'Mohammed Ismail'" <m dash ismail at link dot net>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
Date:	Wed, 7 May 2008 07:55:40 +0200

>It is doing an arp poisoning attack.  It overloads the switch, and if 
>m0n0wall did the same it would fall over to a hub, and all the data will 
>still go to the compromised machine.  I understand that you don't have 
>access to the clients, but the only fix it to remove the bad client. 
>You may want to seal off the net to keep it from spreading as well.

I have to agree with this. 
If you can't remove clients or hardcode correct ARP to client, your only
option is smart switch on each location. 
ARP attacks are happening on switch (L2) and that's where you have to stop
them. Cisco has something, called Dynamic ARP inspection. I'm sure other
Vendors have similar functionalities, but I doubt you can find them in
low-end(/cost) products.

Here's a great ppt (not mine), explaining what's happening on LAN and your
options to prevent it.
http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-Be
ekey.ppt

In this ppt there are some hints, that FreeBSD has some tools included to
detect this kind of attacks; so maybe flooding back with ARP could be an
option, if attack is detected. But personaly, I think it's barking up the
wrong tree. Those attacks must be stopped on switch.

Regards, Bostjan