arp poisoning immunity

From: Ilya Teterin (
Date: Sun Dec 15 2002 - 18:11:26 EST


here is a patch (URL: for
linux kernel (2.4.18 and .19 tested) to resisting ARP spoofing (improves LAN
security). Comments are welcome.

If applied, it brings a new sysctl parameter:

net.ipv4.neigh.<interface name>.arp_antidote

that defines kernel behaviour when changes in correspondence between MAC
and IP are detected.

Parameter value 0 corresponds standart behaviour, ARP cache will be
silently updated.

Value=1..3 corresponds "verification" behaviour. Kernel will send ARP
request to test if there is a host at "old" MAC address. If such
response received it lets us know than one IP pretends to have
several MAC addresses at one moment, that probably caused by ARP spoof

Value=1 - just report attack and ignore spoofing attempt.
Value=2 - ARP cache record will be marked as "static" to prevent attacks
in future.
Value=3 - ARP cache record will be marked as "banned", no data will be
delivered to attacked IP anymore, untill system administrator unban
ARP record updating it manually.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Dec 15 2002 - 22:00:33 EST