Antidote is a free and open-source detection and alert program for ARP spoofing (also known as “ARP poisoning routing”) on a switched network. It is designed to help the system administration defense system against suspect behavior on a network, such as those perpetrated by hackers.
ARP, short for Address Resolution Protocol, is what lets the network translate IP addresses into MAC (hardware) addresses. To contact each other, hosts using IP on a LAN (Local Area Network) require MAC addresses. One of the hosts inspects ARP cache to identify if the desired MAC address is present. If not, it broadcasts an ARP request to other hosts to find the IP address they want. If the other host with the correct IP address hears the request, it will respond with its own MAC address. A conversation can then between the two hosts using their IPs. ARP spoofing happens when another host called the “cracker” pretends to be the one with the IP address the other host is searching for. The outcome is that the cracker gets all network traffic between the two hosts.
Antidote offers crucial protection through these features:
• Detection of abnormally large numbers of ARP responses (indicative of ARP poisoning)
• Detection of unusually high quantity of ARP requests without corresponding replies (suggestive that a machine is confused about IP addresses on the network, a symptom of ARP poisoning)
• Detection of sudden IP/Mac address changes
• Detection of anomalies between ARP packets and the Ethernet frame that is encapsulating it (indicative of packet forging)