06-27-2011 07:04 AM
I recently noticed a number of security alerts in my norton for mac about ARP cache poisoning attacks on my network. The MAC address listed in the alert is my xbox 360 and the times coincide with online play on xbox live. Does anyone know of instances in which xbox live is used to launch such attacks? For what it's worth, I also run pcs on my network and the log on my norton internet security on my PC does not show any such attacks.
06-29-2011 01:58 AM
07-01-2011 07:19 AM - edited 07-01-2011 07:20 AM
Hey, I just disabled the notifications. Protection is still on but no more annoying pop ups. Apparently, this is a common thing on some routers. Based on my limited knowledge (so don't take this as written in stone) I think your network is still safe.
09-23-2011 03:42 PM
Every network device which has no protection from an ARP poisoning attack, also known as MITM (man-in-the-middle), is vulnerable. Even many managed network switches (ie; as used in large/corporate lans) and other network device which have some form of MITM protect can be attacked after disabling or fooling their protecti
A good place to start learning about MITM is to read the various help/manual pages of the freeware packages Ettercap and Dsniff, etc. There are basically two uses for these packages, firstly as very useful network diagnostics tools and secondly as dangerous blackhat tools for all manner of cyber crimes (eg; stealing and decrypting https online bank username and passwords).
Firewalls filter layers 3 and 4 ethernet (ie; TCP/IP [TCP, UDP, ICMP, etc]) and ARP (Address Resolution Protocol uses layer 2 and therein lies the beginning of the problem. Next ARP is inherently extremely insecure and devices simply trust more or less whatever they're told. But ethernet won't work without MAC and IP address pairs and MAC addresses are communicated via ARP so thei is another inherent problem. Packages like Ettercap were developed to bypass the ARP filtering security features of many/all managed ethernet switches and have been developed to expolit remote networks very effectively.
There are a few steps which can be taken to make ARP poisoning more difficult for the hacker and one is implementing Permanent Static ARP Cache" at system boot. I've no idea how to do this on Windows as it is very insistant upon having a dynamic ARP cache (if someone knows how please post info or http link/s), but on most Unix/Linux systems you simply create an "/etc/ethers" file with your networks MAC and IP pairs (or at least those of the PC and gateway) and append "arp -f /etc/ethers" to "/etc/rc.local" or an "/etc/ethers" file which has arp -s MAC IP permanent" pairs for each MAC and IP pair and add "sh /etc/ethers" to "/etc/rc.local" (remembering to make "/etc/ethers" executable in the latter case). However this won't stop all types of MITM attack.
Another good source of MITM information will probably be books like "Hacking Exposed" by Stuart McClure, Joel Scambray and George Kurtz.