The location of this file defaults to /etc/arp_bomber.cf, but may be overridden by a command-line option to arp_bomber(8).
The file consists of a series of statements, one per line. Each statement begins with a keyword followed by one or more arguments (depending on the keyword); keywords and arguments are separated by spaces or tabs. Statements may be specified in any order.
Some keywords take an ethernet-address argument. Ethernet address values must be written in a form that ether_aton(3) recognizes; e.g. 1:2:3:4:5:6 or 00:A5:b2:0:BB:c.
Some keywords take an ip-address or ip-mask as a value. IP address and IP mask values must be written in a form that inet_aton(3) recognizes; e.g. 192.168.1.2 or 255.255.252.0.
Blank lines are ignored. Lines for which the first non-blank character is a ’#’ are treated as comments. Trailing comments on statements are not supported.
The keywords are as follows:
The network statement is required, and is used to specify an IP network running on the physical interface on which the ARP Bomber will run. (The actual name of the physical interface is not specified here; it is specified as a required argument to arp_bomber(8).)
If multiple IP networks are running on that physical network, each must be specified in a separate network statement. (If several IP networks have contiguous ranges, it is permissible to consolidate them into a single network statement.)
Specify:
- network
- ip-address ip-mask
Although the ARP Bomber can determine the IP network range for the physical interface on which it is running, it cannot determine if there are other logical IP networks running on the same physical network. It needs to know about all these logical networks; it uses this information to determine if it should suppress sending ARP Response packets to any additional_target values you might specify. (ARP Response packets should not be sent to any additional_target devices when the stolen IP address that does not fall within any IP network running on the physical network.)
The default_dns_domain statement is required, and is used to specify a default DNS domain name. Only one default_dns_domain should appear in the configuration file.Specify:
- default_dns_domain
- domainname
The domainname is an unquoted string; e.g. example.org. Be sure to omit any leading and trailing dots.
The domainname is used to change names retrieved from ethers(4) into fully-qualified domain names that can be found in DNS. Any name retrieved from ethers that ends with a dot is deemed to already be fully-qualfified. If the name ends with domainname, a dot will be appended to make it fully-qualified. Otherwise, the name will be made fully-qualified by appending a dot, domainname and another dot.
The exempt_ether_client statement is optional, and is used to specify the Ethernet address of a client exempt from the ARP Bomber. An ARP Request from this Ethernet address is ignored by the ARP Bomber. Multiple exempt_ether_client statements may be used.Specify:
- exempt_ether_client
- ethernet-address [hide]
The optional hide argument may be specified to prevent the ARP Bomber from logging an EXEMPT-ETHER message each time it encounters an ARP Request from this Ethernet address. (This message is logged when the debuglevel is greater than 0.)
The exempt_ip_client statement is optional, and is used to specify the IP address or network range of a client exempt from the ARP Bomber. An ARP Request from a matching IP address is ignored by the ARP Bomber. Multiple exempt_ip_client statements may be used.Specify:
- exempt_ip_client
- ip-address [ ip-mask ] [hide]
If no ip-mask is specified, it is assumed to be 255.255.255.255.
The optional hide argument may be specified to prevent the ARP Bomber from logging an EXEMPT-IP message each time it encounters an ARP Request from a matching IP address. (This message is logged when the debuglevel is greater than 0.)
The exempt_ip_when_ether_known_client statement is optional, and is used to specify the IP address or network range of a client exempt from the ARP Bomber when the Ethernet address of the device trying to use this IP address is known. An ARP Request from a matching IP address from any Ethernet address that is known is ignored by the ARP Bomber. Multiple exempt_ip_when_ether_known_client statements may be used.Specify:
- exempt_ip_when_ether_known_client
- ip-address [ ip-mask ] [hide]
If no ip-mask is specified, it is assumed to be 255.255.255.255.
The optional hide argument may be specified to prevent the ARP Bomber from logging an EXEMPT-IP-WHEN-ETHER-KNOWN message each time it encounters an ARP Request from a matching IP address when the Ethernet address is known. (This message is logged when the debuglevel is greater than 0.)
The additional_target statement is optional, and is used to specify the Ethernet address and IP address of an additional device that should receive an ARP Response packet whenever we send one to a thief. Multiple additional_target statements may be used.Specify:
- additional_target
- ethernet-address ip-address
ARP Response packets are sent to the additional targets you specify only if you also specify the -g command-line option.
Good candidates for additional targets are devices providing crucial network services (e.g. IP routers) which you want to deny to the thief. These additional targets must be attached to the same physical (although not necessarily logical) network as the interface on which the ARP Bomber is running.
ARP Response packets to additional target devices are automatically suppressed if the stolen IP address does not fall into any of the IP network ranges defined with the network statements.
ARP Response packets to additional target devices are automatically suppressed if it appears that the legitimate owner of the stolen IP address is alive at the time of the incident. This is to try to avoid denying service to the legitimate owner of the IP address, which may need to be able to communicate with/through the additional target devices.
ARP Response packets to additional target devices are automatically suppressed if the stolen IP address is any IP multicast (Class D) address.
ARP Response packets to additional target devices are automatically suppressed if the stolen IP address is any of the additional_target IP addresses. (This is on the assumption that if such an ARP Response were received by the legitimate owner of the IP address, it could break IP service on that device; also that if received by the other additional_target devices, it would prevent them from communicating with the legitimate owner, and we assume that it is important these devices are able to communicate with each other.) Note that this means that when you specify additional_target_suppress_add entries, you need not list any IP address that appears as an additional_target; it’s already implicitly an additional_target_suppress_add value.)
The additional_target_suppress_add statement is optional, and is used to specify an IP address that, if stolen, should cause suppression of ARP Response packets that would otherwise be sent to additional_target devices. Multiple additional_target_suppress_add statements may be used.Specify:
- additional_target_suppress_add
- ip-address
Since every IP address specified as an additional_target is implicitly a member of the additional_target_suppress_add list, there is no need to list an IP address in both places. See the additional_target section above to learn what other stolen IP addresses also automatically cause suppression of the ARP Response packets that might otherwise be sent to additional_target devices; such addresses need not be specified as additional_target_suppress_add values.
Typically the additional_target_suppress_add values you specify are other key devices (located on the physical network) that you don’t want to hear any of the bogus ARP Response traffic. (E.g. perhaps network infrastructure or monitoring devices which you always want the additional_targets to be able to talk to, even if someone else is stealing their IP addresses.)
Other likely choices would be various flavors of broadcast addresses (for all the logical IP networks running on this physical network), since otherwise if someone were to try to steal one of those, and we send an ARP Response packet for this "stolen" broadcast address to all the additional_target devices, it could cause them to lose the ability to properly broadcast to that IP broadcast address. (You need not list 0.0.0.0, as packets with this Sender Protocol Address (after an ARP Probe Processing) are ignored by the ARP Bomber. You need not list 255.255.255.255; this address is implicitly a member of the additional_target_suppress_add list.)
# We run two IP networks on this wire network 192.168.0.0 255.255.0.0 network 10.0.5.0 255.255.255.0 # foo-gate exempt_ether_client 0:0:1:2:3:4 # bar-gate exempt_ether_client 0:0:4a:5b:6c:d hide # baz # Necessary because baz has multiple physical interfaces and uses the weak-end model, # so it may generate packets on this network with IPsrc for a different network. exempt_ether_client 8:0:20:55:55:55 hide # baz.foobar.net (a device on our network, assigned a DNS name that is not # in a DNS domain we control) # This is only because the folks who control the foobar.net DNS domain have not put this # name in their DNS zone, so the forward lookup fails. We really could exempt # the ether addr OR the ipaddr, or both. I’ll just do the ether addr here, # since it’s harder for clients to spoof. exempt_ether_client 0:6:6:6:6:6 # A block of IP addresses assigned dynamically by a DHCP server to different clients each time, # and the client’s Ethernet addresses may or may not be known exempt_ip_client 192.168.16.0 255.255.248.0 hide # a host which has no ethernet address in ethers(4) for its DNS hostname exempt_ip_client 192.168.120.6 # A block of IP addresses assigned dynamically by a DHCP server to different clients each time, # but the client’s Ethernet addresses are all known exempt_ip_client_when_ether_known 192.168.130.0 255.255.255.0 # foo-gate additional_target 0:0:1:2:3:4 192.168.1.1 # bar-gate additional_target 0:0:4a:5b:6c:d 10.0.5.1 # firewall additional_target 0:c0:8:a:bb:1c 192.168.7.23 # network-monitor # Even if someone is stealing this IP address, we don’t want to prevent # the additional_targets from talking to the real network monitor. additional_target_suppress_add 192.168.87.45 # various flavors of broadcast addresses for all logical networks on this physical net # (Both the 0’s style ones, which are correct given our config, and # the 1’s style ones, which are not correct, but are still understood when # heard.) # Even if someone is stealing one of these, we don’t want to prevent # the additional_targets from talking to these addresses. additional_target_suppress_add 192.168.0.0 additional_target_suppress_add 192.168.255.255 additional_target_suppress_add 10.0.5.0 additional_target_suppress_add 10.0.5.255