Search code examples
c#network-programmingspoofingarp

Can you use ARP-Poisoning (spoofing) to apply simulated external effects?


We are looking at ways of creating a network effects server. By this I mean a central server that will inspect all the packets on the network and apply logic (drop, delay, alter, etc) based on factors external to the actual network such as weather and line-of-sight.

This is all to do with running simulations of multiple real-world entities: a physical node in the network would represent a 3D moving entity in the 3D virtual world. As I mentioned, the effects would be calculated on line-of-sight, distance, interference, etc between the "virtual-world position" of the nodes.

I am aware of other tools that let you do these kind of effects (such as OPNET, which we might use as part of the solution), but they typically require you to route the data directly to them for processing. They also don't handle either UDP or TCP.

I need a way to transparently run our server and apply the effects without changing any existing software (and some can't be changed, anyway) for both UDP and TCP.

To that extent, we were thinking of using ARP-poisoning (or spoofing, whichever you prefer to call it), to force all the traffic through one (or potentially multiple for load-balancing) of these servers to perform the packet shaping.

Is this a feasible approach? (don't want to spend weeks developing before realizing that there are too many obstacles or that it is flat-out impossible)

If it is feasible, is RFC826 (plus 5227 and 5494) the latest document on ARP? Is there a better document out there?

Would this work when some of the network nodes are Virtual Machines (they might be bridged or NAT'ed)?

Are there any libraries that let you do this in C#?

(We are open to the language we use, but probably prefer C# or Qt-based solutions)


Solution

  • Technically you can use ARP poisoning to do this, however I really don't think I would recommend it. I really don't understand why you're trying to do this, but from the sounds of it you're looking to similate the types of packet loss / corruption that could be caused by RF equipment.

    First off, you mentioned C#, which really isn't the language for doing this, the low level networking is too far removed. I think C# does provide a raw socket class, but if you try to emulate TCP/IP and UDP and spoof addresses not belong to you're host, it actually drops you're packets. There might be a way to stop this, but you would have to research the .Net Raw Socket.

    You can use WinPcap with a c# wrapper as well. But it's still not a native implementation and may suffer performance penalties. There is a C# wrapper for WinPcap which I have used called SharpPcap, however some parts aren't well implemented and I had to modify it for what I needed. I have done some simple tests of capturing traffic at 300Mbps, but that hasn't including any protocol analysis or any injection of the packets back onto the network. This can also be used for putting the packets back onto the network, but again in the past this was reputably low performance. Common perception amoung my networking peers is that this type of inspection cannot be done without hardware assist into the Gbps speeds.

    I see you noted that you control the router and the lab. I don't know if Cisco has a minimum requirements for this feature, but you can point a static route to an interface. So if you hang you're intercept server off one port of the router and put routes in for every host to go to you're intercept server, it would feasibly receive all the traffic being routed through the router. You do this by defining an interface as you're next hop instead of an IP address.

    *Please note Bob McCormick's note that it will only affect hosts on different subnets, however there is an easy cheat, on each host (if assigned static IP addresses) put the subnet mask to be /32 (ie. 255.255.255.255). This will essentially force the host to send all it frames to be routed by the router, since it is no longer aware of any other users on the same network as itself.

    The last caveat is I have no idea if this will work in a virtual machine. I think it will if you use the one type of network interface in vmware, but I have not tried it, and have no idea about the other virtual machine providers.

    However, if you are doing this level of work, I would suggest that again you look at using linux for the host you're sending you're traffic too, and maybe the tool Bob McCormick recommended. However, in linux i'm sure there are a great number of tools that can be set up to simulate these sorts of events you're looking for.