Back to list
arp spoofing defence
Nov 14 2002 09:16PM
Ilya Teterin (alien npp-integris ru)
Here is a patch http://securitylab.ru/_tools/antidote2.diff.gz for linux
kernel (2.4.18 and .19 tested) to resisting ARP spoofing.
If applied, it brings a new sysctl parameter:
that defines kernel behaviour when changes in correspondence between MAC
and IP are detected.
Parameter value 0 corresponds standart behaviour, ARP cache will be
Value=1..3 corresponds "verification" behaviour. Kernel will send ARP
request to test if there is a host at "old" MAC address. If such
response received it lets us know than one IP pretends to have
several MAC addresses at one moment, that probably caused by ARP spoof
Value=1 - just report attack and ignore spoofing attempt.
Value=2 - ARP cache record will be marked as "static" to prevent attacks
Value=3 - ARP cache record will be marked as "banned", no data will be
delivered to attacked IP anymore, untill system administrator unban
ARP record updating it manually.
[ reply ]
Copyright 2010, SecurityFocus