possible arp spoofing vulnerability


I've been having some problems with my internet connection because of some flood on my university campus network, most of it being arp spoofing. I know that the admin should do something about it, and probably the the flood is the cause of some infected computers, or maybe done on purpose in order to lower traffic on the network, and give the attacker a ‘better broadband’ as we have no upload/download limits, and more like competing against each other for speed. 
In any case, I’ve tried to defend myself from this type of flood, and I’m not sure how Comodo firewall 3 is good at this. It’s a great firewall, I can tell, however it doesn’t look very advanced concerning the defense against arp spoofing attacks. I tried entering stealth mode, and various attack detection settings, but they did not seem to do much good, as my internet connection kept dropping. I moved onto modifying the network security policy so that as a first rule to allow traffic between my mac address and the dns/gateway’s (inbound/outbound, both application and global, protocol-any), and as a second rule to block all traffic within the ip range of my local network. Normally this should have solved the problem, but my internet connection still kept dropping, though it was a better than before.
What I actually wanted to see as a result while typing ‘arp –a’ in cmd was the ip and the mac of the dns/gateway only, a clean arp cache, because anything else looks to me like multicast or flood. I wanted the firewall to block all arp packets, but retain, or the option to set, a single entry, the one that I needed for the dns/gateway. It is obvious that the arp packets weren’t blocked since I had more than one entry in the arp cache, even with all security options possible on. 
My guess is that the cache protect option only prevents the entries from being modified, but not the adding to them. I also guess that since I had the first firewall rule a mac based allow/deny one, the address resolution protocol was inevitable in order to check if a traffic attempt from a certain ip matched that specific rule. I can also add that when analyzing the firewall events I noticed that some of the IPs that were blocked (udp protocol) showed up on the arp cache, meaning that their arp packets were not blocked. After some tests, I decided to install a trial application, AntiArp, which specializes in this kind of flood, and works basically like a firewall against arp spoofing and ddos attacks, and my internet connection improved drastically. I did not see any new options in this program compared to Comodo Firewall 3 other than the option to preset arp cache entries, and a similar packet per second filtering emergency mode. The Comodo firewall default in triggering emergency mode is 20 packets/s, and the AntiArp default is 8 packets/s, and I also tried setting a lower value in Comodo for checking. For those who want to make some tests, I recommend disabling the protect AntiArp application from it’s options, because their attempt at protecting their application from being terminated from the task manager seems to cause an occasional BSOD upon exiting, but nothing else. 
I ran both firewalls with no conflicts whatsoever, but I noticed that AntiArp had in it’s log arp spoofing attacks against my computer. Now in case Comodo Firewall does protect against such attacks, then the spoofed packages must have hit AntiArp first since it shows in it’s logs, and Comodo had nothing else to see or block. It’s either that, or Comodo has serious security issues concerning arp spoofing attacks. I really don’t know how 2 firewalls on the same computer behave, if a second firewall can see and log packets blocked by a previous firewall, and how their installed drivers for the network cards behave, if there is a priority between their driver usage, etc.
The bottom line is that installing Comodo firewall helped only a little against my network flood problem, but running another application specialized in this kind of attack improved my internet connection drastically. With the exact same Comodo settings as before, just by running the AntiArp application I could see a big difference in my internet connection. The purpose of my post is for clearing some things out for me about the Comodo Firewall’s capabilities, and if there is any weakness, we should all work together towards fixing these problems. It look forward to seeing in future versions better defense against these attacks, as it is sad how someone could bring down an internet connection so easily, even behind such a capable firewall.


… paragraph breaks. spaces.

paragraph break spaces are good.

I’ll now continue reading, and try to keep my place. …

I’ve sort of solved my problem a long time ago, and wandering around these forums again, I’ve decided to write this down. So doing my homework I noticed that Comodo doesn’t exactly support all layer-2 protocols. There is a good fildering for IP protocols, but when it comes to ARP, we have a problem. No point in going into details, since my solution was simple: using a packet filter. I used CHX 3.0 and put 2 simple rules for the ARP protocol. The first one allowed inbound traffic if the source was the gateway mac (priority highest=4), and the second one blocked all (other ARP) traffic(priority=3). The packet filter can be configured through a .msc management console, and supports pretty much all protocols you could ever need.