Programming

Hey jim,
That's the thing, there are NO solutions out there, applications like arpguard, arpwatch and the others just sends an e-mail to the administrator telling him "hey, your network is down because of an ARP attack", i don't consider this a solution.

arptables, yes, it may be a possible solution to what i'm looking for, but it doesn't analize the ethernet data, so, does not work for me.

I just want to know how to check the arriving ARP frames, and if my program conditions consider it as a valid one, THEN apply the ARP Message to the cache. I'm able to do all of that, except for the cache thing.

So, do i have to code a linux kernel module? how do i do it? i'm just asking for the way to do it, not for the solution itself.

Thank you for finally telling me what you actually wish to solve -- or at least 2 words of it -- instead of the railroaded solution you demand for it. We know you're more interested in doing it your way, you don't have to keep telling us that, but when a "solution" gets to the point of modifying the kernel's source code by hand, that's usually considered a wakeup call! I don't know how to do it, and not for lack of trying. Kernel programming is its own specialty entirely.

arpon might be worth consideration. It claims to actually fight the problem of ARP spoofing, not just report it.

Hey Corona688, Thank you for your reply and please excuse me for repeatedly saying the same things and for my english, it's not my mother language and i feel the need to know that i'm being understood.

Yes, i knew about ArpON, and it's a good point to start with.

I'm doing a research on ARP Protocol and writing a book about it. I've analyzed what are weaknesses of the protocol and i know i'm able to make this protocol secure (even more than ArpON does). I know how to program some things, but i cannot know it all, so i've been reading and asking about how to do this.

Applications like arptables or ArpON itself work in user-space level, so it's quite obvious that i don't need to get with the kernel to do what i want. I know i could read the code and apply the methods used by them in my program, but there are some parts of the code that i sincerely do not understand.

So, i am going to read the entire code of ArpON and arptables and try to get how to do it, i guess. if i succeed, i'll post here the solution, but still i'll be waiting for any help.

Once more, Thank you.

Assuming that you are using a Linux kernel, most of the ARP code is in ../net/ip4/arp.c.

The three ioctls that you will need if you are going to manipulate arp entries from userspace are

Code:

SIOCDARP
SIOCSARP
SIOCGARP

Note your application will need CAP_NET_ADMIN capability.

You do know that ARP is being phased out in favor of NDP? IPv6 uses NDP.

Hello fpmurphy, Thanks for reply.

Yes, i am aware of IPv6 and the Neightbor Discovery Protocol, but i'm totally sure that IPv4 will be with us for a long time, at least implemented on corporative LANs because of its simplicity and short address size.

About CAP_NET_ADMIN, yes, the user must be root to run the application i'm designing, i think this won't be a problem, because if you want to secure the host i think you would be the sysadmin.

Didn't think about this IOCTL commands, it's a big step ahead, i'm reading the sources right now.

Thank you very very much!

I'm able to analize every field of the ARP frame that i capture, but not to avoid the malicious frame to take effect over the cache because i can't stop the kernel.

So, how can i do that? how could i check the frame and if it's a valid one THEN apply it to the cache, just before the kernel does it?

I have no room to speak here, and will most likely get bashed to death.

However, what the goal here seems to be is: Intercept packets before they get to the cache, qualify them as malicous or non-malicious.

So wouldn't a good firewall do this??

ARP operates at a lower level than most firewalls.