ARP spoofing protection for
linux kernels
Around Q4 2002 a great patch called "antidote.diff" was announced on
linux-net and bugtraq.
It was designed to provide basic protection against arp spoofing / arp
poisoning attacks for linux kernels
around version 2.4.20. As time went by, it happend that this patch did
not apply cleanly on kernels
like 2.4.26 anymore. Sure, the patch had to be reworked just a little,
but it would have been great
to find some up-to-date patch or even better a site hosting a
maintained version. I tried to contact
the author ("buggzy") and also posted a question to some mailing-lists
.... no luck so far :-(
(If someone knows something - please let me know !!! Thanks !)
As some people asked me for a copy of my reworked patch, I decided
to release it to the public.
Some time ago I also did a port to 2.6 that seems to work quite well...
(Feedback is always welcome !!!!!)
Anyway:
The patches are provided "as is". So if anything
goes wrong, does not work as expected or
strange things happen - please don't
blame me .... use it at your own risk !!!
Tech Specs about ARP Spoofing
<.... to be done ... >
For linux kernels 2.4:
(original posting at http://seclists.org/lists/bugtraq/2002/Nov/0206.html)
linux-2.4.20: http://securitylab.ru/_tools/antidote2.diff.gz
linux-2.4.26: antidote2-2.4.26.diff.gz
(reworked only - no further modifications)
linux-2.4.27: antidote2-2.4.27.diff.gz
linux-2.4.30+: antidote2-2.4.30.diff.gz
Quick HOWTO: Please refer to
the original posting above.
For linux kernels 2.6:
Attention: If you applied the patch, you also have to enable the
feature in the kernel config !!
(->Networking options -> ARP Spoofing Protection)
Otherwise the kernel will be built without it.
(Well, ok, I still ask myself if it was neccessary to put that to the
config section, but ..... )
29-Aug-2005:
linux >2.6.11: is done (experimental
!) - but has to be tested....
but for those who are curious:
linux-2.6.11x: arp_protect_v1-2.6.11_beta4.diff.gz
linux-2.6.12x: arp_protect_v1-2.6.12_beta4.diff.gz
If you would like to help testing, please give me some feedback. Thanks
!
# old / deprecated / experimental / do-not-use:
# linux-2.6.7-rel: arp_protect_v1-2.6.7.diff.gz
# linux-2.6.8.x: arp_protect_v1-2.6.8.x.diff.gz
# **** CURRENT KERNELS / >
2.6.9
or -mm series ***** 04-Dec-2004
# The patches above do not work
for
the current kernels, neither they do for the -mm series.
# Due to some internal code
changes
recently the arp processing behaviour of these kernels
# changed in a way that broke
"compatibility" to the arp_protect patches.
# As soon as I have some time left
for closer investigation I will provide additional information
# or maybe release
arp_protect_v2......
Quick HOWTO:
As with the version 2.4 patch, you will be provided a sysctl within
/proc, but in
the 2.6 version
it is called "arp_protect". Behaviour is downwards compatible:
0 - feature disabled (default)
>0 - feature enabled:
if update to arp table is
requested but "old" MAC still valid, do the following:
1 - log & ignore update /
spoofing attempt (recommended
for most systems)
2 - log & mark existing
(cached) MAC
as PERMANENT ("paranoid" setting)
3 - log & disable MAC / IP
communication ("very paranoid setting" - !! could cause DoS !!)
4 - log & update arp table
(like "feature disabled", but generate informational log message)
Questions ? Comments ? Anything ?
Please feel free to contact me at: burbon04 at gmx.de
- Maximilian
29 August 2005