WAND Network Research Group University of Waikato Crest Of Arms

Spoofing ARP from a DHCP Database

dhcparpd is a tool to mitigate the effects of IP spoofing attacks on ethernet based networks. dhcparpd was initially written to help manage the conference network for Linux.Conf.AU held in Dunedin in January 2006.

dhcparpd works by spoofing ARP replies based on the information held in the lease database of an ISC DHCPD3 server instance. dhcparpd listens on a pcap socket for incoming ARP queries, queries the DHCP server for a MAC address using the OMAPI protocol and finally sends a spoofed response using the libnet packet injection library.

dhcparpd does not stop the real host sending its own ARP response. You need to configure iptables/ebtables to block these packets. We have hacked the madwifi driver to add this functionality. The patch for this can be found in as ticket #278 in the Madwifi bug tracker.

We strongly recommend that you do not run dhcparpd on a wired network. It is highly likely that you'll end up confusing your switches mac table and will end up reducing your switch to a hub. dhcparpd can be configured to send all ARP responses from a single MAC address but this can cause problems for some operating systems which will refuse to recognise the response packet.

Getting dhcparpd

dhcparpd is currently regarded as beta quality software. It has been used to successfully manage a conference network with over 200 wireless clients.

The current release of dhcparpd is revision 52:

Debian packages should be available very very shortly. Email us if you need them.

Contact Details

dhcparpd is written and maintained by Perry Lorier and Matt Brown. Any bugs, comments, questions can be directed to us.