Help in preventing ARP poisoning

Harlock21

New Member
Hi all,
It seems that I am ARP spoofed.
Recently I have installed the XARP application which is able to detect only ARP poisoning; thanks to it I had the proof that I am victim of such attacks.
It seems that my Linux system is not affected by this fraudolent practice while my Windows firewall can not filter non legit / poisoned ARP traffic.
Is there any way to configure the Windows firewall with well constructed incoming traffic rules in order to filter the poisoning traffic?
Thank you.
 

Neemobeer

Principal Cybersecurity Architect
Staff member
ARP cache poisoning only works on a local network and any device would be susceptible to that type of attack. If someone is connected to your network and is poisoning your ARP cache you have bigger problems
 

Harlock21

New Member
Unfortunately ARP poisoning can be done without being connected to the network which the host is connected to.
My WIFI network is MFP protected and it will take eons to brick the password as it is encrypted.
Even if the intent of the ARP spoofing is to force a disconnection like the deauth procedure to sniff the connection handshake packets the password is encrypted and the work will be useless.
The problem is that the default Windows firewall rules are too weak, just as usual if compared to the Linux counterpart.
What I am asking is to create a Windows firewall rule which will block ARP spoofing generated with the same mac address that I have.
 

ussnorway

Windows Forum Team
Staff member
Premium Supporter
you could build a custom endian firewall into an old router and put that between your Windows system and the big bad internet... that gives you total control but takes a bit more than a basic understandiing to set up
 

Harlock21

New Member
you could build a custom endian firewall into an old router and put that between your Windows system and the big bad internet... that gives you total control but takes a bit more than a basic understandiing to set up
Hi thanks,
For now I am using xarp pro for both Windows and Linux and it seems to work good enough.
Yep the solution as you have suggested is a good way to go with but it requires a dedicated host for ddos filtering and tracking.
As far as I have understood xarp tries to understand if the ARP traffic sender/ exchanger is a legit one by actively polling back it (and all the senders that appear in the air traffic for wifi connections) - this way the "first" ARP traffic is then buffered until the polling rules are not validated.
Two years ago I had to buy a Cisco AP and change all my wifi network cards to be able to use the MFP security protocol, today I need to use dedicated daemon tools to prevent ddos/spoofing on the air traffic. Air traffic sucks 🙂
 
Last edited:

Neemobeer

Principal Cybersecurity Architect
Staff member
ARP only works locally so no it can't be done remotely and only impacts local assets arp operates on layer 2
 

Harlock21

New Member
ARP only works locally so no it can't be done remotely and only impacts local assets arp operates on layer 2
A wifi network has no physical boundaries as the packets are sent via radio waves, this means that a wifi network can not be closed in any way and an attacker can inject arp packets at his own wish by even simulating the identity of the attacked host. Do you want to see my xarp log or my Wireshark one? For me the topic is closed.
 

Neemobeer

Principal Cybersecurity Architect
Staff member
They still have to be connected to your network. A lan is a logical separation of devices via subnet mask. A lan is not nessicarily geographically localized.
 
Last edited:
Top