From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Nov 5 22:40:09 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A0AD1065675 for ; Fri, 5 Nov 2010 22:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 553318FC17 for ; Fri, 5 Nov 2010 22:40:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oA5Me9QH029855 for ; Fri, 5 Nov 2010 22:40:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oA5Me9Qj029854; Fri, 5 Nov 2010 22:40:09 GMT (envelope-from gnats) Resent-Date: Fri, 5 Nov 2010 22:40:09 GMT Resent-Message-Id: <201011052240.oA5Me9Qj029854@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Boris Kochergin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F80B106566C for ; Fri, 5 Nov 2010 22:30:26 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 2D12E8FC15 for ; Fri, 5 Nov 2010 22:30:26 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id oA5MUQM9081629 for ; Fri, 5 Nov 2010 22:30:26 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id oA5MUPew081628; Fri, 5 Nov 2010 22:30:25 GMT (envelope-from nobody) Message-Id: <201011052230.oA5MUPew081628@www.freebsd.org> Date: Fri, 5 Nov 2010 22:30:25 GMT From: Boris Kochergin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/151973: New port: security/arpCounterattack -- Detects and remedies ARP attacks X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2010 22:40:09 -0000 >Number: 151973 >Category: ports >Synopsis: New port: security/arpCounterattack -- Detects and remedies ARP attacks >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Nov 05 22:40:08 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Boris Kochergin >Release: 9.0-CURRENT >Organization: Polytechnic Institute of NYU >Environment: FreeBSD t42 9.0-CURRENT FreeBSD 9.0-CURRENT #26: Mon Nov 1 11:31:43 EDT 2010 root@t42:/usr/obj/usr/src/sys/GENERIC i386 >Description: arpCounterattack is a program for detecting and remedying "ARP attacks." It monitors traffic on any number of Ethernet interfaces and examines ARP replies and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP request that is in conflict with its notion of "correct" Ethernet/IP address pairs, it logs the attack if logging is enabled, and, if the Ethernet interface that the attack was seen on is is configured as being in aggressive mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables of hosts on the local network segment. The corrective gratuitous ARP request and corrective gratuitous ARP reply can be sent from an Ethernet interface other than the one that the attack was seen on. WWW: http://acm.poly.edu/wiki/ARP_Counterattack >How-To-Repeat: >Fix: Patch attached with submission follows: #!/bin/sh # This is a shell archive echo x arpCounterattack mkdir -p arpCounterattack > /dev/null 2>&1 echo x arpCounterattack/files mkdir -p arpCounterattack/files > /dev/null 2>&1 echo x arpCounterattack/Makefile sed 's/^X//' > arpCounterattack/Makefile << 'SHAR_END' X# New ports collection makefile for: arpCounterattack X# Date created: 05 November 2010 X# Whom: Boris Kochergin X# $FreeBSD$ X# X XPORTNAME= arpCounterattack XPORTVERSION= 1.2.0 XCATEGORIES= security XMASTER_SITES= http://isis.poly.edu/~bk/${PORTNAME}/ \ X http://bk.macroblock.net/${PORTNAME}/ XEXTRACT_SUFX= .tbz X XMAINTAINER= spawk@acm.poly.edu XCOMMENT= Detects and remedies ARP attacks X XLIB_DEPENDS= dnet.1:${PORTSDIR}/net/libdnet X XSUB_FILES= pkg-message X XUSE_RC_SUBR= ${PORTNAME} X X.include X X.if ${OSVERSION} < 700000 XBROKEN= does not compile on 6.x (no ether_aton_r()) X.endif X Xpost-install: X @if [ ! -f ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ]; then \ X ${CP} -p ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf.sample \ X ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ; \ X fi X @${CAT} ${PKGMESSAGE} X X.include SHAR_END echo x arpCounterattack/distinfo sed 's/^X//' > arpCounterattack/distinfo << 'SHAR_END' XMD5 (arpCounterattack-1.2.0.tbz) = e003370c9d90c3c7b24542897b6036db XSHA256 (arpCounterattack-1.2.0.tbz) = 28cb61cb799871bbb10057fddbd7a445f10b27725eca088f370eeff157f88f3d XSIZE (arpCounterattack-1.2.0.tbz) = 507939 SHAR_END echo x arpCounterattack/pkg-descr sed 's/^X//' > arpCounterattack/pkg-descr << 'SHAR_END' XarpCounterattack is a program for detecting and remedying "ARP attacks." It Xmonitors traffic on any number of Ethernet interfaces and examines ARP replies Xand gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP Xrequest that is in conflict with its notion of "correct" Ethernet/IP address Xpairs, it logs the attack if logging is enabled, and, if the Ethernet Xinterface that the attack was seen on is is configured as being in aggressive Xmode, it sends out a gratuitous ARP request and a gratuitous ARP reply with Xthe "correct" Ethernet/IP address pair in an attempt to reset the ARP tables Xof hosts on the local network segment. The corrective gratuitous ARP request Xand corrective gratuitous ARP reply can be sent from an Ethernet interface Xother than the one that the attack was seen on. X XWWW: http://acm.poly.edu/wiki/ARP_Counterattack X X-Boris Kochergin SHAR_END echo x arpCounterattack/pkg-plist sed 's/^X//' > arpCounterattack/pkg-plist << 'SHAR_END' Xsbin/arpCounterattack X@unexec if cmp -s %D/etc/arpCounterattack/arpCounterattack.conf.sample %D/etc/arpCounterattack/arpCounterattack.conf; then rm -f %D/etc/arpCounterattack/arpCounterattack.conf; fi Xetc/arpCounterattack/arpCounterattack.conf.sample X@exec if [ ! -f %D/etc/arpCounterattack/arpCounterattack.conf ] ; then cp -p %D/%F %B/arpCounterattack.conf; fi Xetc/arpCounterattack/oui.txt X@dirrmtry etc/arpCounterattack SHAR_END echo x arpCounterattack/files/pkg-message.in sed 's/^X//' > arpCounterattack/files/pkg-message.in << 'SHAR_END' X XBefore starting arpCounterattack, you should edit its configuration file, X%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf. Then, add the following Xline to /etc/rc.conf: X Xarpcounterattack_enable="YES" X XFinally, to start it, run the following command: X X%%PREFIX%%/etc/rc.d/arpCounterattack start X SHAR_END echo x arpCounterattack/files/arpCounterattack.in sed 's/^X//' > arpCounterattack/files/arpCounterattack.in << 'SHAR_END' X#!/bin/sh X# $FreeBSD X X# PROVIDE: arpcounterattack X# REQUIRE: DAEMON X# BEFORE: LOGIN X# KEYWORD: shutdown X X# Define these arpcounterattack_* variables in one of these files: X# /etc/rc.conf X# /etc/rc.conf.local X# /etc/rc.conf.d/arpcounterattack X# X# DO NOT CHANGE THESE DEFAULT VALUES HERE X# Xarpcounterattack_enable="${arpcounterattack_enable-NO}" Xarpcounterattack_pidfile="/var/run/arpCounterattack.pid" X X. /etc/rc.subr X Xname="arpcounterattack" Xrcvar=`set_rcvar` Xcommand="%%PREFIX%%/sbin/arpCounterattack" X Xload_rc_config $name X X: ${arpcounterattack_config="%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf"} X: ${arpcounterattack_flags="-c ${arpcounterattack_config}"} X Xpidfile="${arpcounterattack_pidfile}" Xrequired_files="${arpcounterattack_config}" X Xcase "${arpcounterattack_flags}" in X*-p\ *) X echo "ERROR: \$arpcounterattack_flags includes -p option." \ X "Please use \$arpcounterattack_pidfile instead." X exit 1 X ;; X*) X arpcounterattack_flags="-p ${pidfile} ${arpcounterattack_flags}" X ;; Xesac X Xrun_rc_command "$1" SHAR_END exit >Release-Note: >Audit-Trail: >Unformatted: