Monitor ARP Activity

Network security is crucial in the privileged access VLAN of the Computer Center Laboratory administration and support groups. Some network plugs are located in public accessed places creating a security hole in the internal network. A usually established solution in enterprise networks, is to create MAC rules for each network interface. Meaning that each network plug has access to the network only from the permited MAC address of the matched user, preventing MAC spoofing attacks. Although, the working conditions (frequent staff moves, hardware changes etc) of our infrastructure make the above solution ineffective (great overhead to the NOC admins).

In the context of creating an efficient IDS (Intrusion Detection System) i chose the ARPWatch tool as a solution to detect ARP spoofing/poisoning attacks. ARPWatch is an opensource tool that monitors ethernet or FDDI network activity in the network and maintains a database of IP Address to MAC address mappings. In its feature it is included the email notification in case of a change. ARPWacth is the most commonly used tool to detect ARP Spoofing attacks in the network and can run on most of the Linux distributions,UNIX and Sun Solaris.

Arpwatch uses libpcap, a system-independent interface for user-level packet capture and should be installed before installing arpwatch. ARPWatch relies on the resolver library (/etc/resolv.conf) for hostname resolutions. It is important that Arpwatch is installed in the same directory of lipcap.

So when a IP-MAC mapping change occurs it is recorded in the database and the NOC admins are informed via e-mail in order to take the appropriate actions.

You can install ARPWatch either from your OS distribution official packages or compile it from the sources. The configuration is very simple and is usually located under /etc/arpwatch.conf.

A. Bechtsoudis