GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → rnehra01 → Arp Validator

rnehra01 / Arp Validator

Security Tool to detect arp poisoning attacks

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

securitynetworkdetector

Projects that are alternatives of or similar to Arp Validator

G6
♾ A Graph Visualization Framework in JavaScript
Stars: ✭ 8,490 (+15622.22%)
Mutual labels:  network
Nipe
An engine to make Tor network your default gateway
Stars: ✭ 1,032 (+1811.11%)
Mutual labels:  network
Ready For Tech Interview
💻 신입 개발자로서 준비를 하기 위해 지식을 정리하는 공간 👨‍💻
Stars: ✭ 1,035 (+1816.67%)
Mutual labels:  network
Gasmodels.jl
A Julia/JuMP Package for Gas Network Optimization
Stars: ✭ 43 (-20.37%)
Mutual labels:  network
Oh My Request
🔮 simple request library by java8
Stars: ✭ 44 (-18.52%)
Mutual labels:  network
Llama
Library for testing and measuring network loss and latency between distributed endpoints.
Stars: ✭ 47 (-12.96%)
Mutual labels:  network
Aicdm
AICDL collector services and modules
Stars: ✭ 41 (-24.07%)
Mutual labels:  detector
Pythem
pentest framework
Stars: ✭ 1,060 (+1862.96%)
Mutual labels:  network
Wheel
关于net nio os cache db rpc json web http udp tcp mq 等多个小工具的自定义实现
Stars: ✭ 45 (-16.67%)
Mutual labels:  network
React Native Netinfo
React Native Network Info API for Android & iOS
Stars: ✭ 1,049 (+1842.59%)
Mutual labels:  network
Eventd
A simple daemon to track remote or local events and do actions the user wants to
Stars: ✭ 43 (-20.37%)
Mutual labels:  network
Llama Archive
Loss & LAtency MAtrix
Stars: ✭ 44 (-18.52%)
Mutual labels:  network
Pyrwr
Python Implementation for Random Walk with Restart (RWR)
Stars: ✭ 48 (-11.11%)
Mutual labels:  network
Vue Network
Render a Vue component to indicate network status.
Stars: ✭ 42 (-22.22%)
Mutual labels:  network
V2ray Core
A platform for building proxies to bypass network restrictions.
Stars: ✭ 13,438 (+24785.19%)
Mutual labels:  network
Dknetworking
基于 AFNetworking + YYCache 的二次封装,支持缓存策略的网络请求框架
Stars: ✭ 41 (-24.07%)
Mutual labels:  network
Rats Search
BitTorrent P2P multi-platform search engine for Desktop and Web servers with integrated torrent client.
Stars: ✭ 1,037 (+1820.37%)
Mutual labels:  network
Hreq
A type dependent highlevel HTTP client library inspired by servant-client.
Stars: ✭ 53 (-1.85%)
Mutual labels:  network
Opensvp
Opensvp is a security tool implementing "attacks" to be able to test the resistance of firewall to protocol level attack.
Stars: ✭ 50 (-7.41%)
Mutual labels:  network
Pnet
High level Java network library
Stars: ✭ 49 (-9.26%)
Mutual labels:  network
View All Similar Projects ➔

arp-validator

Security Tool to detect arp poisoning attacks

Features

  • Uses a faster approach in detection of arp poisoning attacks compared to passive approaches
  • Detects not only presence of ARP Poisoning but also valid IP-MAC mapping (when LAN hosts are using non-customized network stack)
  • Stores validated host for speed improvements
  • Works as a daemon process without interfering with normal traffic
  • Log's to any external file

Architecture

  +-------------+                +---------------+                  +------------+    
  |  ARP packet |    ARP Reply   | Mac-ARP Header|    Consistent    |   Spoof    |
  |   Sniffer   |  ------------> |  consistency  |  --------------> |  Detector  |
  |             |     Packets    |    Checker    |    ARP Packets   |            |
  +-------------+                +---------------+                  +------------+
                                        |                                 /
                                   Inconsistent                         /
                                   ARP Packets                     Spoofed
                                        |                        ARP Packets
                                        V                         /
                                +--------------+                /
                                |              |              /
                                |   Notifier   |  <----------
                                |              |
                                +--------------+

  1. ARP Packets Sniffer

    It sniffs all the ARP packets and discards

    • ARP Request Packets
    • ARP Reply packets sent by the machine itself which is using the tool (assuming host running the tool isn't ARP poisoning 😜)

  2. Mac-ARP Header Consistency Checker

    It matches

    • source MAC addresses in MAC header with ARP header
    • destination MAC addresses in MAC header with ARP header

    If any of above doesn't match, then it will notified.

  3. Spoof Detector

    It works on the basic property of TCP/IP stack.

    The network interface card of a host will accept packets sent to its MAC address, Broadcast  address
and subscribed multicast addresses. It will pass on these packets to the IP layer. The IP layer will
only  accept  IP packets  addressed to its IP address(s) and will  silently  discard the rest of the
packets.
If  the  accepted  packet  is a TCP packet it is passed on to the TCP  layer. If a TCP SYN packet is
received then the host will either respond back with a TCP SYN/ACK packet if the destination port is
open or with a TCP RST packet if the port is closed.

    So there can be two type of packets:

    • RIGHT MAC - RIGHT IP
    • RIGHT MAC - WRONG IP (Spoofed packet)

    For each consistent ARP packet, we will construct a TCP SYN packet with destination MAC and IP address as advertised by the ARP packet with some random TCP destination port and source MAC and IP address is that of the host running the tool.

    If a RST(port is closed) or ACK(port is listening) within TIME LIMIT is received for the SYN then host(who sent the ARP packet) is legitimate.

    Else No response is received within TIME LIMIT so host is not legitimate and it will be notified.

  4. Notifier

    It provides desktop notifications in case of ARP spoofing detection.

    Screenshot

Installation

npm

[sudo] npm install arp-validator -g

source

git clone https://github.com/rnehra01/arp-validator.git
cd arp-validator
npm install
Use the binary in bin/ to run

Usage

[sudo] arp-validator [action] [options]

actions:

	start		start arp-validator as a daemon

		options:
			--interface, -i
				Network interface on which tool works
				arp-validator start -i eth0 or --interface=eth0

			--hostdb, -d
				stores valid hosts in external file (absolute path)
				arp-validator start -d host_file or --hostdb=host_file

			--log, -l
				generte logs in external files(absolute path)
				arp-validator start -l log_file or --log=log_file


	stop		stop arp-validator daemon


	status		get status of arp-validator daemon


global options:

	--help, -h
		Displays help information about this script
		'arp-validator -h' or 'arp-validator --help'

	--version
		Displays version info
		arp-validator --version

Dependencies

Issues

  • [ ] Currently, it is assumed that hosts are using non-customized network stack hence the malicious host won't respond the TCP SYN packet. But in case the malicious host is using a customized network stack, it can directly capture the TCP SYN packet from layer 2 and can respond with a self-constructed TCP RST or ACK hencour tool will validate the malicious host.
  • [ ] If a host is using a firewall which allows TCP packets for only some specific ports, in that case a legitimate host also won't respond to the TCP SYN packet and tool will give a False Positive of ARP Poisoning Detection.

References

Vivek Ramachandran and Sukumar Nandi, “Detecting ARP Spoofing: An Active Technique”

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].