README
1## ipguard
2
3 ipguard v1.04
4 Copyright (c) 2010 SeaD <sead at deep.perm.ru>
5
6 See COPYRIGHT for copying info
7
8## what is ipguard
9
10 ipguard - tool designed to protect Ethernet LAN IP address space
11 by ARP spoofing.
12
13 ipguard listens network for ARP packets. All permitted MAC-IP pairs
14 listed in 'ethers' file. If it recieves one with MAC-IP pair, which is
15 not listed in 'ethers' file, it will send ARP reply with configured
16 fake address. This will prevent not permitted host to work properly
17 in local ethernet segment.
18
19
20## installation
21
22 NOTE: libnet 1.0 and libnet 1.1 has totally incompatible API
23 so there are no more support for libnet 1.0. Sorry.
24
25 Use *BSD ports(7):
26 # cd /usr/ports/security/ipguard && make install clean
27
28 or
29
30 Download from: http://ipguard.deep.perm.ru/files/
31
32 Note: you will need two libs for ipguard:
33 libpcap (ftp://ftp.ee.lbl.gov/)
34 libnet 1.1.x (http://www.packetfactory.net/libnet/dist/)
35
36 # edit Makefile for your system
37
38 # make
39 # make install
40
41 How to start and use ipguard please see man page ipguard(8)
42
43 Example of ipguard actions in tcpdump(1) format in README.tcpdump
44
45 Log file description in README.log
46
47## platforms
48
49 Developed on:
50 Gentoo Linux, gcc-4.4.2, libnet-1.1.4-r1, i386
51
52 Compiled and tested on:
53 FreeBSD 4.11, gcc-2.95.4, libnet-1.1.2, i386
54 FreeBSD 5.5, gcc-3.4.2, libnet-1.1.2, i386
55 FreeBSD 7.0, gcc-4.2.1, libnet-1.1.2, i386
56 FreeBSD 8.0, gcc-4.2.1, libnet-1.1.2, i386
57 OpenBSD 3.6, gcc-2.95.3, libnet-1.1.2.1, i386
58 Gentoo Linux 2007.1, gcc-3.4.5, libnet-1.1.2, i386
59 Debian Linux 4.0, gcc-4.1.2, libnet-1.1.2, i386
60
61 Any reports or patches for other platforms are welcome.
62
63
64## credits
65
66 Authors of libpcap, libnet, ip-sentinel
67 citrin <citrin at citrin.ru> for testing assistance
68 irix <irix at ukr.net> for testing assistance
69
70
71SeaD <sead at deep.perm.ru>
72
73## $Id: README,v 1.15 2010/07/12 03:46:52 sead Exp $
74
README.tcpdump
1
200:0f:ea:d2:44:a4 192.168.1.1 - server MAC-IP pair
300:d0:b7:b5:ca:6b 192.168.1.10 - client MAC-IP pair
400:40:f4:53:e3:7d 192.168.1.66 - pirate MAC-IP pair
5de:ad:6b:a8:de:5b - ipguard fake MAC
6
7#### Normal ARP session
8################################
9
10## request client gratuitous
11
12who-has 192.168.1.1 tell 192.168.1.1 requ client broadcast
13 must not be answered
14
15## request client -> server
16
17who-has 192.168.1.1 tell 192.168.1.10 requ client broadcast
18reply 192.168.1.1 is-at 00:0f:ea:d2:44:a4 resp server to client
19
20## request server -> client
21
22who-has 192.168.1.10 tell 192.168.1.1 requ server broadcast
23reply 192.168.1.10 is-at 00:d0:b7:b5:ca:6b resp client to server
24
25#### Denied ARP by ipguard -n 2 fxp0
26################################
27
28## request pirate gratuitous
29
30who-has 192.168.1.66 tell 192.168.1.66 requ pirate broadcast
31reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
32reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
33reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
34
35## request pirate -> server
36
37who-has 192.168.1.1 tell 192.168.1.66 requ pirate broadcast
38reply 192.168.1.1 is-at 00:0f:ea:d2:44:a4 resp server to pirate
39reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
40reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
41reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
42
43#### Denied ARP by ipguard -x -n 2 fxp0
44################################
45
46## request pirate gratuitous
47
48 same as previous example
49
50## request pirate -> server
51
52 same as previous example
53
54## request server -> pirate
55
56who-has 192.168.1.66 tell 192.168.1.1 requ server broadcast
57reply 192.168.1.66 is-at 00:40:f4:53:e3:7d resp pirate to server
58reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to server
59reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to server
60
61#### Denied ARP by ipguard -z -x -n 2 fxp0
62################################
63
64## request pirate (from client IP) gratuitous
65
66who-has 192.168.1.10 tell 192.168.1.10 requ pirate broadcast
67reply 192.168.1.10 is-at 00:d0:b7:b5:ca:6b resp client to pirate
68reply 192.168.1.10 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
69reply 192.168.1.10 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
70reply 192.168.1.10 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
71who-has 192.168.1.10 tell 192.168.1.10 requ fix ipguard broadcast
72 with client MAC-IP
73
74## request pirate (from client IP) -> server
75
76who-has 192.168.1.1 tell 192.168.1.10 requ pirate broadcast
77reply 192.168.1.1 is-at 00:0f:ea:d2:44:a4 resp server to pirate
78reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
79reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
80reply 192.168.1.10 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
81who-has 192.168.1.10 tell 192.168.1.10 requ fix ipguard broadcast
82 with client MAC-IP
83
84## request pirate gratuitous
85
86who-has 192.168.1.66 tell 192.168.1.66 requ pirate broadcast
87reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
88reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
89reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
90who-has 192.168.1.66 tell 192.168.1.66 requ poison ipguard broadcast
91 with fake MAC
92
93## request pirate -> server
94
95who-has 192.168.1.1 tell 192.168.1.66 requ pirate broadcast
96reply 192.168.1.1 is-at 00:0f:ea:d2:44:a4 resp server to pirate
97reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
98reply 192.168.1.1 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
99reply 192.168.1.66 is-at de:ad:6b:a8:de:5b resp ipguard to pirate
100who-has 192.168.1.66 tell 192.168.1.66 requ poison ipguard broadcast
101 with fake MAC
102
103## $Id: README.tcpdump,v 1.8 2010/07/12 03:46:52 sead Exp $
104