Am I being man-in-the-middled?
January 4, 2006 5:45 PM   Subscribe

Let's say, hypothetically, that you are a victim of a man-in-the-middle attack, perhaps via the handy arp-spoofing feature of the somewhat creepy program known as ettercap. How could you tell? What are the telltale signs?
posted by Astragalus to Computers & Internet (10 answers total) 1 user marked this as a favorite
You ask this as if you suspect you are or have been, yet supply no details. OK.

It could range anywhere from nothing (leading to sniffed passwords/keys, etc.) to loss of all packets (Eve is receiving all your traffic and doing what she pleases with it). Generally, "funny things".
posted by kcm at 6:05 PM on January 4, 2006

If you've been ARP spoofed your ARP tables will have all sorts of bogus entries in them. See the 'ARP' command in Linux to check, there is probably a similar utility for Windows.

Addtionally, I believe ettercap itself also has a spoof attack detector, which will report strange ARP activity to you.
posted by brettcar at 6:12 PM on January 4, 2006

'arp -a' works in Windows too.
posted by kcm at 6:24 PM on January 4, 2006

posted by NucleophilicAttack at 6:32 PM on January 4, 2006

Response by poster: There are definitely funny things - I have a bunch of ethereal capture logs with pretty abnormal-looking stuff going on (I'll post some if I can figure out how). I'm behind a dsl modem, so I don't know if it would be my modem or some switch in the phone company that would have been arp poisoned. Currently my modem's arp table has one entry for my computer as expected. In my sniffer's logs there are lots of strings of arp packets of the form:
{broadcast from my modem to the inside: who has (my external ip)? tell (my modem's internal address)}, which seems superflous. Wouldn't my modem know my pc's mac already? Plus there's a mysterious ip address unrelated to mine which keeps popping up for no apparent reason. I don't have the mental strength to wrap my brain around it right now, but I appreciate your help!
posted by Astragalus at 7:07 PM on January 4, 2006

Not to dissuade legitimate discussion of this security question, but do you really believe someone(s) is spying on you?

This may be a perfectly legitimate hypothetical question, but coming from you I'm concerned that you may be succumbing to paranoia.
posted by justkevin at 7:55 PM on January 4, 2006

Your arp caches go stale, so a refresh every now and then is normal. No idea about the mysterious IP ... dig it.
posted by NucleophilicAttack at 8:01 PM on January 4, 2006

Well, in theory if you were the victim of a man-in-the middle attack you could compare the public key you sent with the public key that the other end saw by some channel that you were sure the attacker couldn't see. (or at least, couldn't automaticaly replace).

I'm not quite sure if SSH servers store public keys anywhere though.
posted by delmoi at 8:55 PM on January 4, 2006

I have to agree with justkevin - given your posting history - I can't give much credence to your suspicions on this one.

But to paraphrase the Intel guy. Just because you're paranoid, doesn't mean they're not out to get you.

Not to derail, but have you gotten some professional help Astragalus?
posted by Dag Maggot at 3:33 AM on January 5, 2006 [1 favorite]

Addtionally, I believe ettercap itself also has a spoof attack detector, which will report strange ARP activity to you.

Exactly. The best way to detect an Ettercap-style attack is with Ettercap. Here's a lengthy Ettercap forum thread on detection, starting back before the capability was even added to the utility.
posted by jbrjake at 5:13 AM on January 5, 2006

« Older What to make with beautiful lemons?   |   Prenatal massage in Indiana? Newer »
This thread is closed to new comments.