Here is a patch http://securitylab.ru/_tools/antidote2.diff.gz for linux kernel (2.4.18 and .19 tested) to resisting ARP spoofing. If applied, it brings a new sysctl parameter: net.ipv4.neigh.<interface name>.arp_antidote that defines kernel behaviour when changes in correspondence between MAC and IP are detected. Parameter value 0 corresponds standart behaviour, ARP cache will be silently updated. Value=1..3 corresponds "verification" behaviour. Kernel will send ARP request to test if there is a host at "old" MAC address. If such response received it lets us know than one IP pretends to have several MAC addresses at one moment, that probably caused by ARP spoof attack. Value=1 - just report attack and ignore spoofing attempt. Value=2 - ARP cache record will be marked as "static" to prevent attacks in future. Value=3 - ARP cache record will be marked as "banned", no data will be delivered to attacked IP anymore, untill system administrator unban ARP record updating it manually. --- buggzy
