A way to prevent netcut , arp spoof , everything

kafoula · May 31, 2009, 9:27 AM

hello everyone , in mikrotik firewall there is a feature in its dhcp server to customize the gateway and netmask u can give to the user , i tried entering netmask 32 and i found out every user takes an ip with netmask 32 and when he opens betcut or any spoofer he just cant find anyone in the network coz his netmask is 32 , he must write his ip manual to see teh whole network and also that stopped sharing files but i solved that using himachi ,
i hate mikrotik , i am a big fan of pfsense , anyone or any suggestions so i can customize the netmask given by dhcp server in pfsense , this will solve everything ( arp spoof , arp storm , sniffing) everything and it was tested in mikrotik in a network of 50 users

Perry · May 31, 2009, 9:52 AM

Don't think there is a way and IMO a better way would be to use vlan's

kafoula · May 31, 2009, 12:47 PM

can i use vlan for each user on the network??

kafoula · May 31, 2009, 12:50 PM

the idea is to use the dhcp and captive portal as it is with no further configuration that sould be made on the users computer( seting pptp connection)

kafoula · May 31, 2009, 2:50 PM

http://www.bakarasse.de/disable-netbios-via-dhcp.html
this link was here on the forum , is there anyway we can do that using the existing dhcp or maybe installing another dhcp server that doesnt require the client netmask and lan interface netmask must be the same

blak111 · May 31, 2009, 8:21 PM

I don't think this is a very good way to prevent people from running arp poisoning attacks. If they know how to run an attack, there is a good chance that they know how to change their subnet mask.
The best thing would be to implement some kind of protection at the switch level. Newer HP switches have a feature called dynamic ARP protection. On a DHCP enabled network, the switch records the IP addresses given out by the trusted DHCP server. Then, only traffic that matches the recorded IP to MAC pairings is allowed to pass. This prevents any IP stealing/poisoning.

kafoula · May 31, 2009, 10:52 PM

for freebsd there is ipguard , it detects any change in mac addresses and any arp activity and reports it but i cant manage to make pfsense package of it , for freebsd there r many ports that protect from arp attacks but cant find a package, i tried snort but i failed to make it detect arp poisoning ( usin arp preprocessor)

djamp42 · Jun 7, 2009, 9:15 PM

Cisco has a "Switchport Protected" Command. It will only allow users to talk to non-switchport protected ports. (pfSense is the only non protected port) This way users can only effect them self's, if they happen to assign them self the default gateway

If a user happen to assign them self an IP address that was given by the DHCP server, I guess he could bring down one PC, but that would have to be a lot of trial and error. This is really only in DHCP networks.