arpCounterattack is a program for detecting and remedying "ARP attacks." It

monitors traffic on any number of Ethernet interfaces and examines ARP replies
and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP
request that is in conflict with its notion of "correct" Ethernet/IP address
pairs, it logs the attack if logging is enabled, and, if the Ethernet
interface that the attack was seen on is is configured as being in aggressive
mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with
the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables
of hosts on the local network segment. The corrective gratuitous ARP request
and corrective gratuitous ARP reply can be sent from an Ethernet interface
other than the one that the attack was seen on.

WWW: http://acm.poly.edu/wiki/ARP_Counterattack

PR:		ports/151973
Submitted by:	Boris Kochergin <spawk@acm.poly.edu>

6 files changed, 110 insertions, 0 deletions

diff --git a/security/arpCounterattack/Makefile b/security/arpCounterattack/Makefile
new file mode 100644
index 000000000000..bb19119d2613
--- /dev/null
+++ b/security/arpCounterattack/Makefile
@@ -0,0 +1,32 @@
+# New ports collection makefile for:	arpCounterattack
+# Date created:				05 November 2010
+# Whom:					Boris Kochergin <spawk@acm.poly.edu>
+# $FreeBSD$
+#
+
+PORTNAME=	arpCounterattack
+PORTVERSION=	1.2.0
+CATEGORIES=	security
+MASTER_SITES=	http://isis.poly.edu/~bk/${PORTNAME}/ \
+		http://bk.macroblock.net/${PORTNAME}/
+EXTRACT_SUFX=	.tbz
+
+MAINTAINER=	spawk@acm.poly.edu
+COMMENT=	Detects and remedies ARP attacks
+
+LIB_DEPENDS=	dnet.1:${PORTSDIR}/net/libdnet
+
+SUB_FILES=	pkg-message
+
+USE_RC_SUBR=	${PORTNAME}
+
+.include <bsd.port.pre.mk>
+
+post-install:
+	@if [ ! -f ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ]; then \
+		${CP} -p ${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf.sample \
+		${PREFIX}/etc/${PORTNAME}/${PORTNAME}.conf ; \
+	fi
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/arpCounterattack/distinfo b/security/arpCounterattack/distinfo
new file mode 100644
index 000000000000..37d5bf3d58d1
--- /dev/null
+++ b/security/arpCounterattack/distinfo
@@ -0,0 +1,2 @@
+SHA256 (arpCounterattack-1.2.0.tbz) = 28cb61cb799871bbb10057fddbd7a445f10b27725eca088f370eeff157f88f3d
+SIZE (arpCounterattack-1.2.0.tbz) = 507939
diff --git a/security/arpCounterattack/files/arpCounterattack.in b/security/arpCounterattack/files/arpCounterattack.in
new file mode 100644
index 000000000000..6594649d5b21
--- /dev/null
+++ b/security/arpCounterattack/files/arpCounterattack.in
@@ -0,0 +1,44 @@
+#!/bin/sh
+# $FreeBSD
+
+# PROVIDE: arpcounterattack
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+# Define these arpcounterattack_* variables in one of these files:
+#	/etc/rc.conf
+#	/etc/rc.conf.local
+#	/etc/rc.conf.d/arpcounterattack
+#
+# DO NOT CHANGE THESE DEFAULT VALUES HERE
+#
+arpcounterattack_enable="${arpcounterattack_enable-NO}"
+arpcounterattack_pidfile="/var/run/arpCounterattack.pid"
+
+. /etc/rc.subr
+
+name="arpcounterattack"
+rcvar=`set_rcvar`
+command="%%PREFIX%%/sbin/arpCounterattack"
+
+load_rc_config $name
+
+: ${arpcounterattack_config="%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf"}
+: ${arpcounterattack_flags="-c ${arpcounterattack_config}"}
+
+pidfile="${arpcounterattack_pidfile}"
+required_files="${arpcounterattack_config}"
+
+case "${arpcounterattack_flags}" in
+*-p\ *)
+	echo "ERROR: \$arpcounterattack_flags includes -p option." \
+		"Please use \$arpcounterattack_pidfile instead."
+	exit 1
+	;;
+*)
+	arpcounterattack_flags="-p ${pidfile} ${arpcounterattack_flags}"
+	;;
+esac
+
+run_rc_command "$1"
diff --git a/security/arpCounterattack/files/pkg-message.in b/security/arpCounterattack/files/pkg-message.in
new file mode 100644
index 000000000000..1c44db265d5a
--- /dev/null
+++ b/security/arpCounterattack/files/pkg-message.in
@@ -0,0 +1,11 @@
+
+Before starting arpCounterattack, you should edit its configuration file,
+%%PREFIX%%/etc/arpCounterattack/arpCounterattack.conf. Then, add the following
+line to /etc/rc.conf:
+
+arpcounterattack_enable="YES"
+
+Finally, to start it, run the following command:
+
+%%PREFIX%%/etc/rc.d/arpCounterattack start
+
diff --git a/security/arpCounterattack/pkg-descr b/security/arpCounterattack/pkg-descr
new file mode 100644
index 000000000000..7252ac7db14e
--- /dev/null
+++ b/security/arpCounterattack/pkg-descr
@@ -0,0 +1,15 @@
+arpCounterattack is a program for detecting and remedying "ARP attacks." It
+monitors traffic on any number of Ethernet interfaces and examines ARP replies
+and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP
+request that is in conflict with its notion of "correct" Ethernet/IP address
+pairs, it logs the attack if logging is enabled, and, if the Ethernet
+interface that the attack was seen on is is configured as being in aggressive
+mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with
+the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables
+of hosts on the local network segment. The corrective gratuitous ARP request
+and corrective gratuitous ARP reply can be sent from an Ethernet interface
+other than the one that the attack was seen on.
+
+WWW: http://acm.poly.edu/wiki/ARP_Counterattack
+
+-Boris Kochergin <spawk@acm.poly.edu>
diff --git a/security/arpCounterattack/pkg-plist b/security/arpCounterattack/pkg-plist
new file mode 100644
index 000000000000..a37a292e0168
--- /dev/null
+++ b/security/arpCounterattack/pkg-plist
@@ -0,0 +1,6 @@
+sbin/arpCounterattack
+@unexec if cmp -s %D/etc/arpCounterattack/arpCounterattack.conf.sample %D/etc/arpCounterattack/arpCounterattack.conf; then rm -f %D/etc/arpCounterattack/arpCounterattack.conf; fi
+etc/arpCounterattack/arpCounterattack.conf.sample
+@exec if [ ! -f %D/etc/arpCounterattack/arpCounterattack.conf ] ; then cp -p %D/%F %B/arpCounterattack.conf; fi
+etc/arpCounterattack/oui.txt
+@dirrmtry etc/arpCounterattack