Network Security Monitoring with Arpwatch

Arpwatch is an amazingly useful tool that promiscuously listens on a specified interface for arp broadcasts.  It takes what it learns and saves the the output in a database for later reference in the following format.

mac_address ip unix_date/time hostname

It will take any changes/additions and log them to /var/log/messages as well as optionally emailing them.

This functionality is useful for detecting

  • Man-in-the-middle attacks
  • Arp spoofing/poisoning
  • Session hijacking attacks
  • New hosts introduced onto your network

Set up and configuration is easy.  Just download and compile arpwatch from lbnl’s site, create an arpwatch user (unless you want it to run as root… which you don’t), create an empty arpwatch database (touch/home/arpwatch/arp.dat) and run it.

The command line arguments you run will differ depending on how your network is set up, so check out the man page to be safe. The following should work for most situations.

/usr/sbin/arpwatch -i eth0 -u arpwatch -f /home/arpwatch/arp.dat -n x.x.x.x/21 -e –

-i eth0 tells it to listen on /dev/eth0 only.  You can run multiple instances of arpwatch for each nic/network if you are multihomed.

-u arpwatch tell it to run as the user ‘arpwatch’ instead of root.

-f /home/arpwatch/arp.dat tells it to save the arp database in that file instead of the default location

-n x.x.x.x/21 tells it that an additional address range is in use on this interface.  If you have IPs outside of those defined on your monitor nic it will report them as bogon.

-e – tells it not to email you with every thing it discovers.  You will want to run it this way the first time to avoid flooding your mail box.

AT&T IPhone “Direct Fulfillment” is Flawed.

My wife and I waited in line early morning the day of the IPhone 3G launch.  By the time we got in the AT&T store they had sold out of all 16gig models so they put them on order for “direct fulfillment”.

She got the white model and received hers two days ago.  I got the black one and still have not received mine.

My buddy, Billy, went into the same store after work the day of the launch and signed up for the direct fulfillment of the same model I ordered.  He just received confirmation that his is at the ATT store ready to be picked up.

So why did I wait in line?!

iPhone 3G

Missy and I hopped in the line at our local AT&T store this morning at 7am to try and get ourselves two iPhone 3Gs (16gig).  At this point the line already wrapped around the side of the building.  We finally got into the store at about 11am to find that they had sold out of the 16G version.

They set us up with “direct shippment” of the phones so they should arrive within 5-10 days.
I can’t wait!

Home Brew

Missy and I started doing home brewing (beer micro-brewing).  Its really a blast and provides us with lots of a high quality and inexpensive beer.  The average 5gal batch costs about $20-25 and yields about 54 (12oz) bottles.  Thats about $0.37 to $0.46 per bottle.

Our favorite supplier is Materagaia.  They supply organic, pre-measured, complete recipes as well as all of the supplies and starter kits you could want.

The hobby has a bit of waiting involved, but if you properly plan and stagger your batches you can bottle as often as you like.

We currently have 1 porter batch that has almost been entirely consumed (Rev. Porter).

We also have the following in the works.

Primary Fermentation (1 week to 10days till secondary)

  • Dark Horse Stout
  • Pale Horse Raspberry Ale

Secondary Fermentation (1 week till bottle)

  • Pale Horse Ale
  • Sunny Smiley Happy Summer Whit (Belgian Whit)

We also have a few recipes already purchased and ready to go

  • Barbie (American Blonde)
  • Honey Kolch
  • Strawberry Creme Ale

And have the following in the works

  • Blackened Voodoo Clone
  • Pete’s Wicket Ale Clone
  • Commie Bastard (Russian Imperial Stout)

The Pale Horse that is in secondary will be ready to bottle today and ready for early consumption this weekend.  The Belgian Whit will need to be transfered to another secondary vessel, and the stout should be good to transfer to secondary this weekend.

Windows XP SP3 and winpcap

I installed Windows XP service pack 3 yesterday and found today that wireshark would not detect any of my network interfaces.

Reinstalling winpcap fixed it.

FYI

Traveling is a Hoot

Today I left from Battle Creek, MI to Chicago, IL via the Amtrack train. This is my preferred method of travel when going to Chicago as plane trips costs literally 10x as much and are down right scary. If you have ever heard the term “puddle jumper” you will know exactly what I mean.

Leaving from East Lansing means leaving around 7 in the morning and loosing a whole day or work, so I either take the bus (super scary) or have someone drive me to battle creek.

Each time I leave from Battle Creek I have a unique and enlightening experience. Today was no different.

A young man got off the train muttering something in the standard ghetto slang about being kicked off for “cuss’en out the train people” and wanting to know where he was and how far from ‘Dee-troit” he was.

A couple minutes later police descend on him from both exits and take him away in cuffs.

I always have to wonder about people like that. Are they intentionally seeking attention or do they just not have that filter that the rest of us have? It just seems counter productive if you plan on getting to Detroit to spend the night in jail. All it would have taken is to keep his mouth shut and he would have been there in a matter of hours. Is this attention or lack of filter worth that? I would think not, but then again I guess these are the type of people that jails/prisons are made for.

Luck o’ the Irish

I have to present at a meeting today and spilled coffee on myself. Tied Stain Stick didn’t do the trick so I went to the rest room to get the stain out with water.

As I was wiping up the coffee I tore open a hang-nail and got blood all over myself.

I give up. I just give up.

Comcast Spews False Information

If you have been living in a cave for the past few months you may not be aware of Comcasts recent practice of “shaping” bit-torrent traffic.

Specifically they insert RST packets into, what they believe to be, bit-torrent sessions and forge them to look like they came from the host at the other end of the session. For those of you not familiar with hot TCP/IP works, a RST packet is normally sent to tear down an established session. If this is erroneously sent in the course of a communication (as is the case with Comcast) your computer will get confused, drop and have to re-establish a connection.

The primary issues with this are…

  1. In order to associate the RST packet with your bit-torrent session they have to forge it to make it appear as if its from the other host you are communicating with. This violates a number of U.S. computer crime laws.
  2. They do a pretty crappy job in determining what bit-torrent traffic is. A number of reports have surfaced indicating the Lotus Notes and a number of other protocols are being improperly “shaped” as a result of this.
  3. A large number of legitimate software packages are distributed ONLY via bit-torrent. This is often the case with open source and free software as the developers are usually unable to afford the bandwidth required to distribute their works.
  4. I have yet to receive an sort of “Terms of Use” update informing me that this traffic is being mangled.

Another things that irks me regarding Comcast’s media handling of this is a position often stated by their PR and Executives.

Cohen also reiterated Comcast’s position that it doesn’t block traffic. “Comcast does not, has not, and will not block any websites or online applications, including peer-to-peer services,” he said, pledging to work with the FCC to “bring more transparency for consumers regarding broadband network management.”

They don’t seem to understand that inserting a RST packet is “blocking” traffic. A number of hardware Intrusion Protection Systems use that method to block intrusion attempts when they are not configured “inline” and have the ability to kill a session normally.