arpCounterattack is a program for detecting and remedying "ARP attacks." It

monitors traffic on any number of Ethernet interfaces and examines ARP replies
and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP
request that is in conflict with its notion of "correct" Ethernet/IP address
pairs, it logs the attack if logging is enabled, and, if the Ethernet
interface that the attack was seen on is is configured as being in aggressive
mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with
the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables
of hosts on the local network segment. The corrective gratuitous ARP request
and corrective gratuitous ARP reply can be sent from an Ethernet interface
other than the one that the attack was seen on.

WWW: http://acm.poly.edu/wiki/ARP_Counterattack

PR:		ports/151973
Submitted by:	Boris Kochergin <spawk@acm.poly.edu>
This commit is contained in:
Steven Kreuzer 2011-04-27 17:42:00 +00:00
parent f00ea8834b
commit c1c42fcce0
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=273263
7 changed files with 111 additions and 0 deletions

View file

@ -24,6 +24,7 @@
SUBDIR += apache-xml-security-c
SUBDIR += apg
SUBDIR += arirang
SUBDIR += arpCounterattack
SUBDIR += authforce
SUBDIR += autossh
SUBDIR += avcheck

View file

@ -0,0 +1,32 @@
# New ports collection makefile for: arpCounterattack
# Date created: 05 November 2010
# Whom: Boris Kochergin <spawk@acm.poly.edu>
# $FreeBSD$
#
PORTNAME= arpCounterattack
PORTVERSION= 1.2.0
CATEGORIES= security
MASTER_SITES= http://isis.poly.edu/~bk/${PORTNAME}/ \
http://bk.macroblock.net/${PORTNAME}/
EXTRACT_SUFX= .tbz
MAINTAINER= spawk@acm.poly.edu
COMMENT= Detects and remedies ARP attacks
LIB_DEPENDS= dnet.1:${PORTSDIR}/net/libdnet
SUB_FILES= pkg-message
USE_RC_SUBR= ${PORTNAME}
.include <bsd.port.pre.mk>
post-install:
@if [ ! -f ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ]; then \
${CP} -p ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf.sample \
${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ; \
fi
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>

View file

@ -0,0 +1,2 @@
SHA256 (arpCounterattack-1.2.0.tbz) = 28cb61cb799871bbb10057fddbd7a445f10b27725eca088f370eeff157f88f3d
SIZE (arpCounterattack-1.2.0.tbz) = 507939

View file

@ -0,0 +1,44 @@
#!/bin/sh
# $FreeBSD
# PROVIDE: arpcounterattack
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown
# Define these arpcounterattack_* variables in one of these files:
# /etc/rc.conf
# /etc/rc.conf.local
# /etc/rc.conf.d/arpcounterattack
#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
#
arpcounterattack_enable="${arpcounterattack_enable-NO}"
arpcounterattack_pidfile="/var/run/arpCounterattack.pid"
. /etc/rc.subr
name="arpcounterattack"
rcvar=`set_rcvar`
command="%%PREFIX%%/sbin/arpCounterattack"
load_rc_config $name
: ${arpcounterattack_config="%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf"}
: ${arpcounterattack_flags="-c ${arpcounterattack_config}"}
pidfile="${arpcounterattack_pidfile}"
required_files="${arpcounterattack_config}"
case "${arpcounterattack_flags}" in
*-p\ *)
echo "ERROR: \$arpcounterattack_flags includes -p option." \
"Please use \$arpcounterattack_pidfile instead."
exit 1
;;
*)
arpcounterattack_flags="-p ${pidfile} ${arpcounterattack_flags}"
;;
esac
run_rc_command "$1"

View file

@ -0,0 +1,11 @@
Before starting arpCounterattack, you should edit its configuration file,
%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf. Then, add the following
line to /etc/rc.conf:
arpcounterattack_enable="YES"
Finally, to start it, run the following command:
%%PREFIX%%/etc/rc.d/arpCounterattack start

View file

@ -0,0 +1,15 @@
arpCounterattack is a program for detecting and remedying "ARP attacks." It
monitors traffic on any number of Ethernet interfaces and examines ARP replies
and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP
request that is in conflict with its notion of "correct" Ethernet/IP address
pairs, it logs the attack if logging is enabled, and, if the Ethernet
interface that the attack was seen on is is configured as being in aggressive
mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with
the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables
of hosts on the local network segment. The corrective gratuitous ARP request
and corrective gratuitous ARP reply can be sent from an Ethernet interface
other than the one that the attack was seen on.
WWW: http://acm.poly.edu/wiki/ARP_Counterattack
-Boris Kochergin <spawk@acm.poly.edu>

View file

@ -0,0 +1,6 @@
sbin/arpCounterattack
@unexec if cmp -s %D/etc/arpCounterattack/arpCounterattack.conf.sample %D/etc/arpCounterattack/arpCounterattack.conf; then rm -f %D/etc/arpCounterattack/arpCounterattack.conf; fi
etc/arpCounterattack/arpCounterattack.conf.sample
@exec if [ ! -f %D/etc/arpCounterattack/arpCounterattack.conf ] ; then cp -p %D/%F %B/arpCounterattack.conf; fi
etc/arpCounterattack/oui.txt
@dirrmtry etc/arpCounterattack