I need help on how to "access" or manipulate the Linux ARP Cache in C, here is the description of the project i'm working in:
There are a lot of tools that analize ARP frames and send an e-mail to the sysadmin, that's easy. What i want to do is to inspect every ARP frame that arrives to my network interface and, if it "passes the tests", then, and ONLY THEN apply the changes in the ARP cache.
I'm able to analize every field of the ARP frame that i capture, but not to avoid the malicious frame to take effect over the cache because i can't stop the kernel.
So, how can i do that? how could i check the frame and if it's a valid one THEN apply it to the cache, just before the kernel does it?
I had to use strace on the arp utility to see what it was doing. It opens /proc/net/arp to see the current state, and uses ioctl calls to add or delete items. See here for details; I did the testing on linux, but HP seems to at least document those ioctls. May differ slightly across systems.
As for filtering arp packets, arptables sounds like the way to go.
Yes, i want to implement something like arptables, but i need to filter also ethernet frame fields, so i can't use arptables.
I was thinking that it would be necessary to code a kernel module, but, for what i see, arptables does it and it's a user space aplication, so, what i need is the way to do it, i'll try arptables source code.
Thank you.
---------- Post updated at 11:45 AM ---------- Previous update was at 11:35 AM ----------
Ohhh no,
here's what i thought...
if (!*handle) {
arptables_insmod("arp_tables", modprobe);
*handle = arptc_init(*table);
if (!*handle) {
arptables uses a kernel module to block the arp table and allow data to it... Does anybody has a way better to to this?
To prevent the kernel from doing kernel level things, you must modify the kernel. That's the only place where you can get the kind of raw, exclusive I/O you want.
Really, though, what is the goal here? Maybe there's a better way than hacking nonstandard behavior into your entire networking stack.
Or if you really want 100% raw access, just disable TCP/IP support in your kernel. No more TCP, no more ARP, no more kernel automatically managing either. You'd have to do it all yourself.
What i need is simply avoid the kernel's action in the cache when receiving an arp frame, i don't think i must disable the entire TCP/IP stack for that.
i've been reading arptables code, but there's nothing that could give me a clue... only that i need to code a lkm to access to the kernel space and kinda "intercept" the frames before the kernel does, but not HOW.
ARP sits very near the base of that stack. Without it, not much else will work.
To reiterate, what is your goal? The answer is not "intercepting arp". The answer is whatever the ultimate purpose of this venture is. I suspect there might be a much, much better way to accomplish what you're thinking of since intercepting ARP is such an odd problem but without knowing your goal its hard to help.
Certainly you'll be causing a lot more problems for yourself than you'd ever solve by trying to hack your own backdoors into the kernel networking code. Bugs in kernel code have far more dire consequences than bugs in user code, for one thing. There's few to none of the niceties programmers have grown to expect over the last few decades either. For another you'll have to reinvent your code every time a kernel upgrade breaks compatibility -- that could be up to several times a year -- and installing your software on any other computer would be tantamount to reinstalling the OS with your own custom one. You'd be compatible with nothing else in the world but your own custom computing environment, not even other computers of the same distribution. And not all distributions take kindly to having their kernels arbitrarily replaced.
IMO - you need to state what you are hoping to do - not merely "intercepting" - WHY are you intercepting - what are you trying to stop? You are where you are probably becuase you are unaware that other people had the same problem years ago. And there are solid solutions out there.
Hey jim,
That's the thing, there are NO solutions out there, applications like arpguard, arpwatch and the others just sends an e-mail to the administrator telling him "hey, your network is down because of an ARP attack", i don't consider this a solution.
arptables, yes, it may be a possible solution to what i'm looking for, but it doesn't analize the ethernet data, so, does not work for me.
I just want to know how to check the arriving ARP frames, and if my program conditions consider it as a valid one, THEN apply the ARP Message to the cache. I'm able to do all of that, except for the cache thing.
So, do i have to code a linux kernel module? how do i do it? i'm just asking for the way to do it, not for the solution itself.
Thank you for finally telling me what you actually wish to solve -- or at least 2 words of it -- instead of the railroaded solution you demand for it. We know you're more interested in doing it your way, you don't have to keep telling us that, but when a "solution" gets to the point of modifying the kernel's source code by hand, that's usually considered a wakeup call! I don't know how to do it, and not for lack of trying. Kernel programming is its own specialty entirely.
arpon might be worth consideration. It claims to actually fight the problem of ARP spoofing, not just report it.
Hey Corona688, Thank you for your reply and please excuse me for repeatedly saying the same things and for my english, it's not my mother language and i feel the need to know that i'm being understood.
Yes, i knew about ArpON, and it's a good point to start with.
I'm doing a research on ARP Protocol and writing a book about it. I've analyzed what are weaknesses of the protocol and i know i'm able to make this protocol secure (even more than ArpON does). I know how to program some things, but i cannot know it all, so i've been reading and asking about how to do this.
Applications like arptables or ArpON itself work in user-space level, so it's quite obvious that i don't need to get with the kernel to do what i want. I know i could read the code and apply the methods used by them in my program, but there are some parts of the code that i sincerely do not understand.
So, i am going to read the entire code of ArpON and arptables and try to get how to do it, i guess. if i succeed, i'll post here the solution, but still i'll be waiting for any help.
Yes, i am aware of IPv6 and the Neightbor Discovery Protocol, but i'm totally sure that IPv4 will be with us for a long time, at least implemented on corporative LANs because of its simplicity and short address size.
About CAP_NET_ADMIN, yes, the user must be root to run the application i'm designing, i think this won't be a problem, because if you want to secure the host i think you would be the sysadmin.
Didn't think about this IOCTL commands, it's a big step ahead, i'm reading the sources right now.
I'm able to analize every field of the ARP frame that i capture, but not to avoid the malicious frame to take effect over the cache because i can't stop the kernel.
So, how can i do that? how could i check the frame and if it's a valid one THEN apply it to the cache, just before the kernel does it?
I have no room to speak here, and will most likely get bashed to death.
However, what the goal here seems to be is: Intercept packets before they get to the cache, qualify them as malicous or non-malicious.
I'm a student of network security, and joined the Unix Group on Linkedin in order to learn more about the world of Unix/Linux as it seems a lot of work is done on those opperating systems.
Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.
The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.
When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.
Thank you VERY MUCH for your help, fpmurphy, Corona688.
Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.
The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.
When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.
Thank you VERY MUCH for your help, fpmurphy, Corona688.
Sounds like a fairly portable solution actually.