I just read an article in Linux Pro Magazine about how to prevent ARP Protocol Attacks on a Layer 2 network using /etc/ethers
for static dhcp address assignment based on ip address.
The article also states that one can do this using a Linux command:
arp -s <host-ip-addr> <host-mac-addy>
Done correctly, this helps to prevent rouge hosts from showing up on the network and having them claim that they are a different host to do a main in the middle attack.
Now considering that someone on a layer 2 network that already knows the configuration of the network can plug into it and locally configure a static-ip address, is there anything else (mac address filtering for instance) that could prevent someone from obtaining an address via DHCP and communicating on the network if that mac address is not allowed?
Or do I need to make sure my subnet is exactly the right size and have all of the computers computers running on it all the time?
The article gives a Python script that appears that it would be useful in detecting a mac address that isn't supposed to be there stealing another ip by sending an arp advertising packet faster than the host that is supposed to be there; but over all they recommend turning arp advertising off.
Mac addresses can be manually set as well in Linux, so I still don't quite see how this helps.