[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Wed, 29 Apr 2009 13:09:01 -0400
On Wed, Apr 29, 2009 at 9:21 AM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> rgreiner wrote:
>> Hi, does somebody know any interesting reference page explaining what
>> exactly netcut does and how? All pages I could find speak about
>> downloading netcut or anti netcut. I'm interested in neither. What I
>> would like is to know how to detect and trace someone using that thing
>> in my network, so I could properly "deal" whith this individual.
> Actually, tracking is easy.  Look at the arp table on any system on the flat
> network.  If one mac address is constantly advertising itself as several IP
> addresses, they are probably arp poisoning. (Or a bridge, wireless range
> extender, or something else that is supposed to arp for others)
> But I can not see how he is protecting the network.  It might protect a
> single system, but not a network.

It can't, that's a popular misconception of nearly everyone who wants
something like this from my experience - it can protect the system
it's running on, but does nothing for the rest of your network. The
proper way to handle L2 mischief is to configure your switches
appropriately so it can't happen. There may be some value in running
it on the firewall for the WAN side where you normally can't control
things. I haven't looked at this solution in particular in any depth
so I'm not sure if it really provides any value.