Monday, June 16, 2008

Prevention of Man-in-Middle Attack

Having anticipated, Man-in-Middle attack by ARP Spoofing. a problem,
(For example: there are many lab machines which have NFS access to user
disks on a server. These machines may even be turned OFF which makes it
easy for a spoofer to get in.), I wrote a short Perl script designed to
be run from the system startup file. Basically, it fills the ARP cache
on Linux with the IP and MAC addresses of known machines, setting a flag
so that they are never removed from the cache and can never be changed.

The config file format is simple -- IP address followed by MAC address,
separated by whitespace. Pound at the beginning of a line indicates
For example:
# vi ip_mac.conf
# IP_Address MAC_Address

This has only been tested on Linux -- people on other platforms may need
to adjust the parameters to arp in the system call.

It is a quick 'n' dirty program, but works -- maybe it will be useful to
somebody out there, too.

Note: you want to make sure that it is run after your network interface is
brought up but before any servers or clients are started; otherwise,
somebody may be able to sneak in a connection before the ARP tables are

Here is the Perl script:

# vi

#!/usr/bin/perl -w
# Program:
# Program to run ARP to force certain tables.

# Specify filenames(Redirection) or stdin

foreach (<>) # For each input line....
chomp; # Strip if CR/LF
if (/^#/)
} # If it's a comment, skip it.
if (((($host, $hw) = /\s*(.+?)\s+(\S+)\s*/) == 2) &&
# The text between the slashes parses the input line as follows:
# Ignore leading whitespace. (\s*)
# Then, start matching and put it into $host ($host, (.+?))
# Skip over the whitespace after that (\s+)
# Start matching. Continue matching until end of line or optional
# trailing whitespace.

# Then, the if checks to see that both a
# host and a hardware address were matched.
# (2 matches). If not, we skip the
# line (assuming it is blank or invalid or something).
# The second part of the if checks to see if the line starts with
# a pound sign; if so, ignore it (as a comment).

# Otherwise, run the appropriate command:
printf("Setting IP %-15s to hardware address %s\n", $host, $hw);
system "/usr/sbin/arp -s $host $hw\n";

Example execution.

# ./ < ip_mac.conf

I hope that this script will help you access resources in

your network and prevent DoS/Man-in-Middle Attack.

No comments: