In short, it is a kernel module countermeasure to ARP poisoning Man-in-the-Middle attacks. It is designed to defeat all ARP poisoning tools such as the popular Ettercap and Cain&Abel.

The arp* (pronounced ArpStar) is a module for 2.6 Linux kernels that detects AND defeats all ARP poisoning attacks. Currently, ARP poisoning attacks can be detected by a variety of software programs; none of which can defeat the attack. We intend to change that. arp* at its very core is simply a change in the way ARP packets are handled by the Linux kernel. The functionality that allows arp* to work is kernel Netfilter hooks. By intercepting ARP packets before the kernel can process them, arp* is able to protect the system against ARP poisoning attacks.

Currently, the Linux kernel allows improper ARP packets to change the ARP cache. Unsolicited ARP replies as well as ARP requests actually write changes to the cache. Our implementation keeps track of ARP requests and replies and only allows solicited ARP replies to change the cache. This, by itself, defeats most ARP poisoning attacks. More devious ARP poisoning attacks use ARP requests and colliding ARP replies to poison the cache. To combat these situations we also implement custom handling for ARP requests and routines for collisions. As many ARP poisoning utilities construct packets that are not quite sane, we implement sanity checks to filter out obviously bad ARP packets. Trusted IP/MAC combinations are also allowed using module parameters so users can inform the kernel of known systems.

ARP poisoning signature matching has also been implemented. arp* is aware of popular tools which carry out ARP poisoning attacks. Tools such as Ettercap and Cain&Abel perform their ARP poisoning with unique sequences of packets. arp* is knowledgeable of their preferred methods and identifies their attack patterns accordingly. However, the defeat of ARP poisoning attacks does not depend on recognizing the signature of the attacker. Signatures are simply a way of identifying how the attack is being carried out.

This project has been coded in C and is available as a module for the 2.6 Linux kernel series. The only libraries needed are the included in the Linux kernel. It has also been ported to the Linksys WRT54G