Hello!

I'm sharing an internet connection through a NAT-enabled ADSL router. Someone keeps trying to cut off the connection from me, using such programs as Netcut, SwitchSniffer etc.

I tried Anti-Netcut, and I even got the MAC address of the router and made a static ARP entry, though i couldn't communicate with the router. I don't know what program he uses but It seems like I'm on a different subnet :confused:

Any solution???

These programs only work on your LAN (vs say an internet based attack) so you should be able to configure your router or switch to prevent ARP spoofing (depending on the vendor's software options).

Also use a host based firewall (you can use the Windows built-in one if you like) to control ICMP on your computer. By disabling ping replies, for example, you prevent the attacker from using PING and his arp table to get your IP address MAC paring. For the Windows firewall here is a link (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_icmp_select.mspx?mfr=true) which explains how.

You will also need to add your static arp entries to your Windows computer using a batch file as they are lost when your computer reboots.

But your best play is to simply find the bad guy on your network, discovery why he is doing it and put a stop to it. you can use ARPwatch (on linux) to help find out who is using these "arp" programs.

Hope this helps :)

Ghost_Hacker,

I almost certainly know the bad guy who does the attack. He simply does it to gain greater bandwidth share.

I use Win. XP SP2 and I've recently installed Norton 360, but I think it's nothing to do with firewalls. ARP resides in the data-link layer. Is there anyway to stop responding to ARP requests?

"For Small Networks
If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for devices in your network. You can even create a login script that would add these static entries to your PCs as they boot."

www.watchguard.com

IF you have access only to your machine and not the router, and you cannot stop the person from having access to the router because, as you said, your sharing the connection and this person is who it is shared with, there is very little you can do to stop him. If the above is the case, I suggest you go on the offensive and do the same thing he is doing. It is akin to MAD or Mutually Assured Destruction. If he is spoofing your MAC to send packets to his machine you can do the same thing. It sounds like a basic DOS attack, and if the bandwidth is shared he gets more of it because, you are basically disconnected from the network. There is little you can do if he has access to the router LAN side the same as you. Static ARP entries on your machine won't do anything.

Ghost_Hacker,

I almost certainly know the bad guy who does the attack. He simply does it to gain greater bandwidth share.

I use Win. XP SP2 and I've recently installed Norton 360, but I think it's nothing to do with firewalls. ARP resides in the data-link layer. Is there anyway to stop responding to ARP requests?

hehe Yes,I am aware of what level ARP request reside at. As I mentioned a firewall prevents him from using PING to get your MAC address/IP address pair. As you know PING is not an ARP request but it can help if the attacker's computer does not cache the MAC addresses from "dropped" connections. If he is sniffing your network or knows his arp well he can still get your MAC address even with a firewall preventing ICMP.

If you have no access to the router or switch I suggest you contact the person who does. I repeat this is your BEST way to stop this attack. If they can do nothing then its time to look elsewhere for broadband access. Trying to "out-hack" him is IMHO pointless and a waste of time. In my early days folks (scriptkiddies mostly) use to try to out hack me...they failed :D

You don't want to disable ARP request as this would disable your ability to access the network unless you use static ARP tables thru out your network (all routers, switches, and other computers you access). Do you? Frankly I have never looked into this kinda hack as I can see no point to it anyways, but to each their own:) ( If he is local to you and can sniff your network traffic he can get your MAC address no matter what filtering you have in place at the host)

You can stop Gratuitous ARP (http://www.windowsitpro.com/Article/ArticleID/15424/15424.html) but this does don't disable replies to ARP request.

EDIT: A snip about changing a MAC address ( you might wish to simply change it when you encounter this problem. However I strongly suggest you contact your "Admin" and settle the matter as I stated before):

Windows 2000/XP/Vista: The Hard Way

In XP you can use the regedit to edit the registry from a GUI or the reg command to edit it from the console, I’ll be using regedit. Information on all your NICs can be found the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\ Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\ . Under this key you will find a bunch of sub keys labeled as 0000, 00001, 0002 and so forth. We can assume any MAC address we want by finding the key that controls the NIC we want to change, putting in a string value called “NetworkAddress” and setting it to the MAC address we want to use formatted as a twelve digit hex number (example: 000000000001). To find out which key is which we can search through them for the value “DriverDesc” until we find the one that matches the NIC we wish to alter. After you set “NetworkAddress” to the address you want just restart the NIC by disabling it then enabling it (or in the case of PCMCIA cards, just eject and reinsert). You can confirm the MAC address change by using the “getmac” or “ipconfig /all” commands.



Windows 2000/XP/Vista: The Easy Way

Use Mac Makeup ( http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp ), MadMACs (http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer), Smac ( http://www.klcconsulting.net/smac/ ) or Etherchange (http://ntsecurity.nu/toolbox/etherchange/ ). Mac Makeup is a cool little GUI and Command line tool that's freeware, the creator also offers a Plugin for Bart's PE builder. MadMACs is a tool to randomize your MAC address and host name on every reboot. Smac has a nice GUI and was free but has since gone commercial, there's no reason to bother with it as there are free tools that are just as good. I use MadMACs since I wrote it and it lets me keep my host information randomized.



Have fun with your MAC addresses switching, but be careful not to cause network problems. My favorite MAC address is DEADBEEFCAFE, for other interesting MACs see:



http://www.binrev.com/forums/index.php?showtopic=15942

Good Luck :)

Here is a firewall (http://www.softperfect.com/products/firewall/) and another one (http://www.jetico.com/jpfirewall.htm) that can filters/rules for ARP. I have never used it so your mileage may vary. I am sure there are others, so you might want to look around to be sure you get best of breed.

You can try that to help with ARP posioning/cloning on your side. But it will not help with ARP posioning on the router/switch side.

Good Luck :)

thanks to all of those who contributed to the topic.

before i started this topic, i had tried the following methods:

1. Anti-Netcut, No Cut, and such programs.
2. Changing my MAC address using Mac Makeup.
3. Adding a static ARP entry as Wikipedia (http://en.wikipedia.org/wiki/ARP_spoofing#Defenses)stated " The only method of completely preventing ARP spoofing is the use of static, non-changing ARP entries. " here, i only added one entry for the router using a login script, and i thought that would stop the attack.

still, nothing of the above resolved the problem. now i add 2 entries, one for the router and one for the machine doing the attack. i think that stopped the attacker, i'm not sure of that but i download large files to persuade the attacker to do it and i think he couldn't.

anyway, thanks again. i'll try the the firewalls that "Ghost_Hacker" mentioned. hope those can prevent the attack too.

Hello!

I'm sharing an internet connection through a NAT-enabled ADSL router. Someone keeps trying to cut off the connection from me, using such programs as Netcut, SwitchSniffer etc.

I tried Anti-Netcut, and I even got the MAC address of the router and made a static ARP entry, though i couldn't communicate with the router. I don't know what program he uses but It seems like I'm on a different subnet :confused:

Any solution???

hi there, there is a software called antiarp or anti netcut out there, but somehow I still get disconnected every few seconds.
I have analyzed, this program only change your windows arp table entry for your gateway to static.
You can try my own program, it's free, but it only works in microsoft windows... My program can block spoofed arp traffic totally without changing your arp table entry...

you can download it here http://www.4shared.com/file/cWipropu/setup_DodolAntiARPv3.html

however, you must install microsoft .net framework 2.0 or later and winpkfilter from nt kernel resource, you can get both of them here:
http://www.microsoft.com/download/en/details.aspx?id=19
http://www.ntkernel.com/w&p.php?id=7

There is some possibility my program will be detected as a virus because it checks your network packet for spoofed arp packet.