Comparative test of programs that prevent attacks on ARP-table
Not so long ago, the DroidSheep program, which intercepts user accounts of online services that use them through public Wi-Fi, caused great interest ( 1 , 2 ). To the native Russian question: “what to do?” Someone will suggest using programs to protect against this kind of attacks written for Android. So I decided to test them.
And I tested it for a long time (as far back as 2008) by the ARPBuilder program written by me, which was created to test the vulnerability of various ITUs to ARP-spoofing attacks ( more ):
')
Actually, I managed to track down only 2 test candidates: DroidSheepGuard and shARPWatcher (both programs require full root access to complete the work).
I judged the success of the attack according to the indications of the ARP-table of my experimental Android device. Readings taken through the program Net Status :
In tests 2 types of attacks were carried out:
1. ARP responses (the most common type of attack).
2. ARP requests (more rare type of attacks, but most often successfully passing in the case of using different ITUs with ARP-spoofing protection function)
At first, I still could not understand: does the program work at least somehow? Because I successfully poisoned the ARP table, and the program didn’t tell me anything about it there. However, paying attention to the upper slider, I reduced the interval (as it turned out, this is the interval for checking ARP table changes) to 1 minute window with disconnect from Wi-Fi.
Because the program monitors any changes to existing entries in the ARP table, it doesn’t matter which of the 2 types of attacks your Android device undergoes.
I did not understand by what principle this software works. All my attacks successfully passed and no reaction was received from the software for a long time. Although I launched it as it was reported on the program's website, first it, then the connection to the Wi-Fi network.
In general, the verdict is simple: use DroidSheepGuard with the minimum check interval. And it’s better not to go into your accounts from public networks at all.
And I tested it for a long time (as far back as 2008) by the ARPBuilder program written by me, which was created to test the vulnerability of various ITUs to ARP-spoofing attacks ( more ):
')
Actually, I managed to track down only 2 test candidates: DroidSheepGuard and shARPWatcher (both programs require full root access to complete the work).
I judged the success of the attack according to the indications of the ARP-table of my experimental Android device. Readings taken through the program Net Status :
In tests 2 types of attacks were carried out:
1. ARP responses (the most common type of attack).
2. ARP requests (more rare type of attacks, but most often successfully passing in the case of using different ITUs with ARP-spoofing protection function)
The first was tested DroidSheepGuard.
At first, I still could not understand: does the program work at least somehow? Because I successfully poisoned the ARP table, and the program didn’t tell me anything about it there. However, paying attention to the upper slider, I reduced the interval (as it turned out, this is the interval for checking ARP table changes) to 1 minute window with disconnect from Wi-Fi.
Because the program monitors any changes to existing entries in the ARP table, it doesn’t matter which of the 2 types of attacks your Android device undergoes.
shARPWatcher
I did not understand by what principle this software works. All my attacks successfully passed and no reaction was received from the software for a long time. Although I launched it as it was reported on the program's website, first it, then the connection to the Wi-Fi network.
In general, the verdict is simple: use DroidSheepGuard with the minimum check interval. And it’s better not to go into your accounts from public networks at all.
Source: https://habr.com/ru/post/139704/
All Articles