ARP spoofing protection for linux kernels

Around Q4 2002 a great patch called "antidote.diff" was announced on linux-net and bugtraq.
It was designed to provide basic protection against arp spoofing / arp poisoning attacks for linux kernels
around version 2.4.20. As time went by, it happend that this patch did not apply cleanly on kernels
like 2.4.26 anymore. Sure, the patch had to be reworked just a little, but it would have been great
to find some up-to-date patch or even better a site hosting a maintained version. I tried to contact
the author ("buggzy") and also posted a question to some mailing-lists .... no luck so far :-(
(If someone knows something - please let me know !!! Thanks !)

As some people asked me for a copy of my reworked patch, I decided to release it to the public.
Some time ago I also did a port to 2.6 that seems to work quite well...
(Feedback is always welcome !!!!!)

    The patches are provided "as is". So if anything goes wrong, does not work as expected or
    strange things happen - please don't blame me .... use it at your own risk !!!

Tech Specs about ARP Spoofing

<.... to be done ... >

For linux kernels 2.4:
(original posting at

linux-2.4.26: antidote2-2.4.26.diff.gz (reworked only - no further modifications)
linux-2.4.27: antidote2-2.4.27.diff.gz
linux-2.4.30+: antidote2-2.4.30.diff.gz

Quick HOWTO: Please refer to the original posting above.

For linux kernels 2.6:
Attention: If you applied the patch, you also have to enable the feature in the kernel config !!
(->Networking options -> ARP Spoofing Protection)
Otherwise the kernel will be built without it.
(Well, ok, I still ask myself if it was neccessary to put that to the config section, but ..... )


linux >2.6.11:      is done (experimental !) - but has to be tested....

but for those who are curious:
linux-2.6.11x: arp_protect_v1-2.6.11_beta4.diff.gz
linux-2.6.12x: arp_protect_v1-2.6.12_beta4.diff.gz

If you would like to help testing, please give me some feedback. Thanks !

# old / deprecated / experimental / do-not-use:
# linux-2.6.7-rel: arp_protect_v1-2.6.7.diff.gz
# linux-2.6.8.x:    arp_protect_v1-2.6.8.x.diff.gz
# **** CURRENT KERNELS / > 2.6.9 or -mm series ***** 04-Dec-2004
# The patches above do not work for the current kernels, neither they do for the -mm series.
# Due to some internal code changes recently the arp processing behaviour of these kernels
# changed in a way that broke "compatibility" to the arp_protect patches.
# As soon as I have some time left for closer investigation I will provide additional information
# or maybe release arp_protect_v2......

Quick HOWTO:

As with the version 2.4 patch, you will be provided a sysctl within /proc, but in the 2.6 version
it is called "arp_protect". Behaviour is downwards compatible:

0 - feature disabled (default)
>0 - feature enabled:
         if update to arp table is requested but "old" MAC still valid, do the following:
        1 - log & ignore update / spoofing attempt (recommended for most systems)
        2 - log & mark existing (cached) MAC as PERMANENT ("paranoid" setting)
        3 - log & disable MAC / IP communication ("very paranoid setting" - !! could cause DoS !!)
        4 - log & update arp table (like "feature disabled", but generate informational log message)

Questions ? Comments ? Anything ?

Please feel free to contact me at: burbon04 at

- Maximilian

  29 August 2005