84471 2002-11-15  17:22  /30 rader/ Ilya Teterin <alien@npp-integris.ru>
Importerad: 2002-11-15  17:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2395>
Ärende: arp spoofing defence
------------------------------------------------------------
Here is a patch http://securitylab.ru/_tools/antidote2.diff.gz for
linux kernel (2.4.18 and .19 tested) to resisting ARP spoofing.

If applied, it brings a new sysctl parameter:

net.ipv4.neigh.<interface name>.arp_antidote

that defines kernel behaviour when changes in correspondence between
MAC and IP are detected.

Parameter value 0 corresponds standart behaviour, ARP cache will be
silently updated.

Value=1..3 corresponds "verification" behaviour. Kernel will send ARP
request to test if there is a host at "old" MAC address. If such
response received it lets us know than one IP pretends to have
several MAC addresses at one moment, that probably caused by ARP spoof
attack.

Value=1 - just report attack and ignore spoofing attempt.  Value=2 -
ARP cache record will be marked as "static" to prevent attacks in
future.  Value=3 - ARP cache record will be marked as "banned", no
data will be delivered to attacked IP anymore, untill system
administrator unban ARP record updating it manually.

---
buggzy
(84471) /Ilya Teterin <alien@npp-integris.ru>/(Ombruten)