arp cache protection enabled but still poisoned [Confirmed & Fixed]

n33d · February 10, 2010, 3:54pm

Hi,
i am new here
any idea why my arp is still poisoned by netcut 2.08 after i enable both of the arp protection options under the attack detection settings?

23W · March 25, 2010, 3:57pm

i have this probem too.
my ARP is poisoned by “ARPBuilder” (ARP Builder 0.1)

rhgtyink · March 25, 2010, 3:59pm

Can you both please explain a bit more about how you have tested this?

23W · March 25, 2010, 4:29pm

My Settings
OS: Win7+ all patches
CIS: 4.0.138377.779
AV: Kaspersky Antivirus 9.0.0736

Local network is marked as work (in CIS installing process). ARP defender settings is turned on.
Ping local another network PC (examp.: 10.16.1.5) and look MAC (command: arp -a)
Run on third machine ARPBuilder and process atack on my PC for ARP table poison on IP 10.16.1.5 with random MAC.
Attack is successful. 10.16.1.5 have new (random) MAC in ARP table on my PC.

rhgtyink · March 25, 2010, 8:03pm

Did you happen to test this on CIS 3.14 also? and did it block it there?
Can you make a packet capture of the “attack” is it using ARP updates or ICMP tricks?

23W · March 26, 2010, 8:45am

all images in attach.
Configs:

My PC (IP: 10.16.1.2, MAC: 00-1B-FC-75-AA-6F) (attach - “0.png”)
Second PC (IP: 10.16.1.5, MAC: 00-24-1D-9B-17-84). I ping this PC (attach - “1.png”) and his MAC was added to my ARP table as dynamic record (attach - “2.png”). This record is target for poisoning from third (hacker) PC
After poisoning (attach - “3.png”), my ARP record was changed to MAC 1-2-3-4-5-6 (attach - “4.png”).

[attachment deleted by admin]

rhgtyink · March 26, 2010, 9:02am

Okay thanks, do you know if this does also work on V3.14 ?

23W · March 26, 2010, 9:16am

CIS 4.0 is my first Comodo firewall.

rhgtyink · March 26, 2010, 9:19am

Okay I’ll move this post to the BUG report section and see if i can draw some Dev’s attention.

rhgtyink · March 28, 2010, 5:07pm

Can you verify if you have “Block gratuitous arp frames” also ticked?
This tool is using Gratuitous ARP instead of ARP reply spoofing…

I can’t reproduce this against a Win7 host, did you test on XP as the attacked host?

I also tried with CAIN and that also can’t poison my host, unless i untick “protect ARP cache” then i get a full-routed spoof.

23W · March 29, 2010, 9:38am

My (attacked) Settings:
OS: Win7 x86 + all updates
Antivirus: Kaspersky AntiVirus 9.0.0.736
Firewall: CIS 4.0.138377.779, settings in attach…

Hacker Settings:
OS: XP x86

Block gratuitous arp frames is turned on!
Did you use ARPBuilder (ARP Builder 0.1) ?

[attachment deleted by admin]

23W · March 30, 2010, 9:36am

Today I tested this bug without Kaspersky Antivirus (uninstall it from PC). And it’s repeated, so Antivirus is not cause of accident.

RickWang · March 30, 2010, 10:17am

We have proved it is a bug, We will fix it ASAP!

rhgtyink · March 30, 2010, 10:38am

Thanks RickWang :-TU

23W · March 30, 2010, 1:21pm

Thanks, we are waiting…

lironjan · April 11, 2010, 2:52pm

Hello everyone.

Something to update us?

Also, if I block all incoming requests including ICMP packets it should prevent this kind of attack, does it?

Thanks.

rhgtyink · April 11, 2010, 2:57pm

I don’t think so ARP is Layer 2 traffic, IP is layer 3 so you need these.

lironjan · April 11, 2010, 6:53pm

ohh understood, I hope it will be fixed soon.

Thanks.

23W · April 14, 2010, 7:35am

CIS is the best!!
This bug is fixed in new version 4.0.141842.828, available from update. I check it an all works ok!

Comodo Team, Thank you for good work.