Provided by: arpon_2.0-2.1ubuntu1_amd64 bug

NAME

       arpon - Arp handler inspectiON

SYNOPSIS

       arpon [ -npqfgiolcxsydevh ]

             [ -n Nice value ] [ -p Pid file ]
             [ -f Log file ]
             [ -i Iface ]
             [ -c Cache file ] [ -x Timeout ]
             [ -y Timeout ]

DESCRIPTION

       ArpON  (Arp handler inspectiON) is a portable handler daemon that make Arp secure in order
       to avoid Arp Spoofing/Poisoning & co.

       This is possible using two kinds of anti Arp Poisoning tecniques, the first  is  based  on
       SARPI  or  "Static  Arp  Inspection",  the  second  on  DARPI  or "Dynamic Arp Inspection"
       approach.

       SARPI and DARPI protect both bidirectional  and  distributed  attacks.  In  "Bidirectional
       protection" is required that ArpON is installed and running on two nodes of the connection
       attached. In "Distributed protection" is required that ArpON is installed and  running  on
       all nodes of the connections attacked. All other nodes whitout ArpON will not be protected
       from attack.

       Keep in mind other common tools fighting ARP poisoning usually limit their  activity  only
       to  point  out  the  problem  instead  of blocking it, ArpON does it using SARPI and DARPI
       policies.  Finally you can use ArpON to pentest some switched/hubbed LAN with/without DHCP
       protocol,  in  fact you can disable the daemon in order to use the tools to poison the ARP
       Cache.

       Remember it doesn't affect the communication efficiency of the ARP protocol!

OPTIONS

       TASK MODE

       -n (--nice) <Nice Value>
              Sets PID's CPU priority (Default: 0 nice).

       -p (--pid-file) <Pid file>
              Sets the pid file (Default /var/run/arpon.pid).

       -q (--quiet)
              Works in background task.

       LOG MODE

       -f (--log-file) <Log file>
              Sets the log file (Default: /var/log/arpon.log).

       -g (--log)
              Works in logging mode.

       DEVICE MANAGER

       ArpON is an ARP handler and it is able to handle network devices  automatically  (default)
       or manually, to print a list of up network interfaces of the system.

       It  identifies  the  interface's  datalink  layer  you  are  using  but  it  supports only
       Ethernet/Wireless as datalink. It sets the netowrk interface  and  check  running,  online
       ready  and  it  deletes  the  PROMISCUE  flag. The online ready checks unplug (virtual and
       physical), boot, hibernation and suspension OS' features for  Ethernet/Wireless  card.  It
       handles these features and reset the network interface automatically when it will ready.

       -i (--iface) <Iface>
              Sets your Ethernet device manually.

       -o (--iface-auto)
              Sets Ethernet device automatically.

       -l (--iface-list)
              Prints all Ethernet devices.

       STATIC ARP INSPECTION

       When  SARPI starts, it saves statically all the ARP entries it finds in the ARP cache in a
       static cache called SARPI Cache. Note that you must manage the ARP through the SARPI cache
       from file feature of ArpON.  After the startup, ArpON operations are split in two parallel
       tasks:

       - It automatically updates the ARP cache each time the timeout expires; timeout is  simply
       the expire time of each entry in the ARP cache, defined according to the policy set in the
       running kernel.  Timeout is set by default to 10 minutes, but you can override this value.

       - It applies policies to the ARP cache, according to the following three schemes:

       1) For each received ARP reply, ArpON checks whether source addresses match  an  entry  in
       the  SARPI cache. In such case, the new entry will overwrite the old one, previously saved
       in the static cache.  Here, ArpON will defend and block ARP Poisoning/Spoofing attacks.

       2) For each received ARP request, ArpON checks wheter the source addresses match an  entry
       in  the  SARPI  cache.  In such case, the new entry will overwrite the old one, previously
       saved in the static cache.  Here, ArpON  will  defend  and  block  ARP  Poisoning/Spoofing
       attacks.

       3)  Every ARP request/reply whose source address doesn't match an entry in the SARPI cache
       are just ignored.

       Both these operations are a countermeasure  against  ARP  Poisoning/Spoofing  attacks,  as
       SARPI  detects  and  blocks them. SARPI doesn't affect the communication efficiency of the
       ARP protocol. SARPI just manages a list with static entries, making it an  optimal  choice
       in those networks without DHCP.

       Finally,  it's  possible  to  use  SARPI as a daemon, using the "TASK MODE" and "LOG MODE"
       feature of ArpON.  It supports daemon exit by SIGINT, SIGTERM, SIGQUIT and  daemon  reboot
       by SIGHUP and SIGCONT POSIX signals.

       -c (--sarpi-cache) <Cache file>
              Sets Arp Cache entries from file (Default: /etc/arpon.sarpi).

       -x (--sarpi-timeout) <Timeout>
              Sets Arp Cache refresh timeout (Default: 10 minuts).

       -s (--sarpi)
              Manages Arp Cache statically.

       DYNAMIC ARP INSPECTION

       DARPI  startup  phase  consists in cleaning up the ARP cache, deleting all of its entries.
       This is due because ARP cache may have poisoned entries from the beginning.  DARPI handles
       the so called DARPI cache, applying different policies to different kinds of packets:

       - ARP request: It traces ARP requests and follows these rules if traffic is:

       1)  Outbound:  Packets  are generated by us. ArpON let them pass, adding an entry with the
       target to the DARPI cache (see ARP reply - Inbound).  On this  DARPI  cache  entry,  DARPI
       sets timeout because if this entry doesn't exist in network, DARPI must to delete it.

       2)  Inbound:  Packets  come to us from the network. ArpON refuses the packet, deleting the
       entry of the source address from the ARP cache,  because  such  packet  may  be  poisoned.
       Afterwards,  the  kernel  will  send  an ARP request to the source address, and it will be
       managed by ArpON through DARPI.  Here, ArpON will defend and block ARP  Poisoning/Spoofing
       attacks through the ARP requests.

       - ARP reply: It traces the ARP replies, and follows these rules if traffic is:

       1) Outbound: Packets are generated by us. ArpON just lets them pass.

       2)  Inbound:  Packets come to us from the network. ArpON checks whether the source address
       matches an entry in the DARPI cache (see ARP request - Outbound), it lets the packet flow,
       adding an entry in the ARP cache. Otherwise, if the source address doesn't match any entry
       in the DARPI cache, ArpON refuses the packet, deleting the entry from the ARP cache.  Here
       ArpON defends and blocks ARP Poisoning/Spoofing attacks through the ARP replies.

       Both types of packets are used to perform ARP Poisoning/Spoofing attacks, as DARPI detects
       and blocks them. DARPI doesn't affect the communication efficiency of  the  ARP  protocol.
       DARPI  manages uniquely a list with dynamic entries. Therefore it's an optimal solution in
       networks having DHCP.

       Finally, it's possible to use DARPI as a daemon, using the  "TASK  MODE"  and  "LOG  MODE"
       feature  of  ArpON.  It supports daemon exit by SIGINT, SIGTERM, SIGQUIT and daemon reboot
       by SIGHUP and SIGCONT POSIX signals.

       -y (--darpi-timeout) <Timeout>
              Sets DARPI Cache entry timeout (Default: 500 milliseconds).

       -d (--darpi)
              Manages Arp Cache dynamically.

       MISC FEATURES

       Other.

       -e (--license)
              Prints license page.

       -v (--version)
              Prints version number.

       -h (--help)
              Prints help summary page.

EXAMPLES

       - Static ARP Inspection:

         Example of /etc/arpon.sarpi:

           # Example of arpon.sarpi
           #
           192.168.1.1     0:25:53:29:f6:69
           172.16.159.1    0:50:56:c0:0:8
           #

         With 1 minut of timeout for arp cache refresh:

           # root:ArpON-2.0 $ ./arpon -i en1 -x 1 -s

             ArpON "Arp handler inspectiON" 2.0 (http://arpon.sourceforge.net)

             12:55:03 - Wait link connection on en1...
             12:55:12 - SARPI on dev(en1) inet(192.168.1.4) hw(0:23:6c:7f:28:e7)
             12:55:12 - Arp Cache restore from /etc/arpon.sarpi...
             12:55:12 - Protects these Arp Cache's entries:
             12:55:12 - 1)     192.168.1.1 ->  0:25:53:29:f6:69
             12:55:12 - 2)    172.16.159.1 ->    0:50:56:c0:0:8
             12:55:12 - Arp Cache refresh timeout: 1 minut.
             12:55:12 - Realtime Protect actived!
             12:55:22 - Request << Refresh entry 192.168.1.1 -> 0:25:53:29:f6:69
             12:55:22 - Reply   >> Send to 192.168.1.1 -> 0:25:53:29:f6:69
             12:55:39 - Request >> Send to 192.168.1.1 -> 0:0:0:0:0:0
             12:55:39 - Reply   << Refresh entry 192.168.1.1 -> 0:25:53:29:f6:69
             12:56:03 - Request << Ignore entry 192.168.1.93 -> 0:23:6c:7f:28:e7
             12:56:03 - Reply   >> Send to 192.168.1.93 -> 0:c:29:3:e5:98
             12:56:12 - Refresh these Arp Cache entries:
             12:56:12 - 1) 192.168.1.1 -> 0:25:53:29:f6:69
             12:56:12 - 2) 172.16.159.1 -> 0:50:56:c0:0:8
             ...

       - Dynamic ARP Inspection:

           # root:ArpON-2.0 $ ./arpon -i en1 -d

             ArpON "Arp handler inspectiON" 2.0 (http://arpon.sourceforge.net)

             14:11:32 - Wait link connection on en1...
             14:11:41 - DARPI on dev(en1) inet(192.168.1.4) hw(0:23:6c:7f:28:e7)
             14:11:41 - Deletes these Arp Cache entries:
             14:11:41 - 1)     192.168.1.1 ->  0:25:53:29:f6:69
             14:11:41 - Cache entry timeout: 500 milliseconds.
             14:11:41 - Realtime Protect actived!
             14:11:41 - Request << Delete entry 192.168.1.1 -> 0:25:53:29:f6:69
             14:11:41 - Reply   >> Send to 192.168.1.1 -> 0:25:53:29:f6:69
             14:11:41 - Request >> Add entry 192.168.1.1
             14:11:41 - Reply   << Refresh entry 192.168.1.1 -> 0:25:53:29:f6:69
             14:11:49 - Request >> Add entry 192.168.1.5
             14:11:49 - Reply   << Delete timeout entry 192.168.1.5
             14:12:04 - Request >> Add entry 192.168.1.1
             14:12:04 - Reply   << Refresh entry 192.168.1.1 -> 0:25:53:29:f6:69
             ...

AUTHOR

       ArpON was writen by:

                   Andrea Di Pasquale <spikey.it@gmail.com>

       The current version is available via http:

            http://arpon.sourceforge.net

BUGS

       Please  send  problems,  bugs,  questions,  desirable  enhancements,  patch,  source  code
       contributions, etc. to:

                   spikey.it@gmail.com

                                          04 April 2010                                  arpon(8)