Let's say on my network there is a hacker who floods my computer with arp messages to associate his MAC address with the IP of the computer I want to reach.
It's like he sends the following message continuously (100 packets per second) to my computer:
192.168.1.2 (my target) has 0:0:0:0:0:1 (hacker's MAC address)
the following does not work, I end up with the two association in arp -a
:
arp -a -d; arp -s 192.168.1.2 0:0:0:0:0:2 (the real MAC address of the target)
Is it possible on macOS to drop the arp packets from the hacker?
Best Answer
You could use a static ARP entry to solve the problem. This is done using "arp -s" as you write in your question. The second association is not a problem as the static entry will take precedence.
Alternatively you could block the MAC address of the spoofer. For example you could use the "ifconfig bridge" command to create a bridge over which you tunnel all packets from the evil MAC-address. When configuring the bridge, set that it tags the packets.
Then you can use the pf packet filter to examine all the tagged packets and possible reject them.