ARP Counterattack

From Association for Computing Machinery

Jump to: navigation, search

This program aims to detect and remedy "ARP attacks." It monitors traffic on any number of Ethernet interfaces and examines ARP replies and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP request that is in conflict with its notion of "correct" Ethernet/IP address pairs, it logs the attack if logging is enabled, and, if the Ethernet interface that the attack was seen on is configured as being in aggressive mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables of hosts on the local network segment. The corrective gratuitous ARP request and corrective gratuitous ARP reply can be sent from an Ethernet interface other than the one that the attack was seen on. All configuration parameters reside in arpCounterattack.conf.

The code is C/C++ and aims to be compact, requiring libpcap and libdnet as the only third-party libraries. It has been tested with GCC 3.4, 4.1, and 4.2 and Clang/LLVM 2.8 on FreeBSD and GNU/Linux, and on 32- and 64-bit and little- and big-endian processors.

Download: ARP Counterattack 1.2.0

This program is now available in the FreeBSD ports tree as security/arpCounterattack.

Upcoming Features

  • Notification of ARP attacks by e-mail
  • Support for multiple Ethernet addresses per IP address

Release History

  • 1.2.0 (November 3rd, 2010)
    • New features:
      • As Microsoft Windows operating systems since Vista do not update the Ethernet address of an IP address in their ARP tables by way of gratuitous ARP requests, in addition to a corrective gratuitous ARP request, a corrective gratuitous ARP reply--which still works--is now also sent out in response to an ARP attack.
      • The IEEE OUI database included with this program has been updated to the November 3rd, 2010 release.
  • 1.1.0 (October 15th, 2010)
    • New features:
      • Logging support.
      • Background operation.
      • Support for monitoring multiple Ethernet interfaces via multithreading.
      • Support for a passive mode of operation, on a per-Ethernet-interface basis.
      • Support for sending corrective gratuitous ARP requests from an Ethernet interface other than the one an attack is seen on, on a per-Ethernet-interface basis.
      • If logging is enabled, the registered manufacturer of an attacker's Ethernet address is looked up in the IEEE OUI database and displayed next to the address.
      • If logging is enabled, there is now a distinction made between ARP reply attacks and gratuitous ARP reply attacks, based on whether the destination Ethernet address of the ARP packet is a multicast address.
      • As Linux will not update the Ethernet address of an IP address in its ARP table more than once per second by way of gratuitous ARP requests, a delayed corrective gratuitous ARP request is now sent out at least 1.5 seconds after an attack in order to correct Linux machines' ARP tables.
    • Bug fixes:
      • Comments in the configuration file can now contain double quotes.
      • The source Ethernet address of a corrective gratuitous ARP request is now set to the actual Ethernet address of the Ethernet interface it is being sent from. This allows the program to work with drivers or hardware that would not otherwise send the gratuitous ARP request out. It also avoids undesirable side-effects with Ethernet switches' CAM tables. None of the operating systems this program has been tested to correct the ARP tables of (FreeBSD, GNU/Linux, and Windows) care what the source Ethernet address of a gratuitous ARP request is.
  • 1.0.0 (May 4th, 2009)
    • Initial release.
Personal tools