ARP Spoofing

Submission Deadline:

The goals of this exercise are to:

  1. Create a network monitor for ARP messages
  2. Implement an ARP cache poisoning detection system

ARP Cache Poisoning Monitor

Using libpcap, scapy, or other library of your choice, implement a monitor that can process PCAP dump files and detect instances of ARP cache poisoning. Your solution cannot use any library code that implements ARP spoofing or ARP spoofing detection; instead, you must directly operate on and track ARP messages.

Your monitor must output a stream of detections using YAML. The format of a single detection is as follows:

packet_index: {{integer}}   # The packet's index in the dump, zero-indexed
victim_mac_address: {{MAC address string}}
attacker_mac_address: {{MAC address string}}
benign_mac_address: {{MAC address string}}
spoofed_ipv4_address: {{IPv4 address string}}

For example:

packet_index: 1234
victim_mac_address: "00:22:44:66:88:aa"
attacker_mac_address: "11:33:55:77:99:bb"
benign_mac_address: "22:44:66:88:aa:cc"
spoofed_ipv4_address: ""

Ensure that no other data is written to stdout aside from a stream of detection messages.

Submission Instructions

Commit and push the source code for your monitor to GitLab in the repository ${your_gitlab_user}/arp_spoofing. The latest commit on master will be considered your submitted solution. Your repository root must also contain a Dockerfile that will build an image that runs your monitor on a PCAP dump file. That is, given a built image, running

$ docker run -it -v $(pwd):/data ${image_name} /data/dump.pcap

must execute your monitor on /data/dump.pcap within the resulting container. Your monitor must follow the output specification described above.

Finally, commit a that describes the detection strategy your monitor employs.