This paper is in the following e-collection/theme issue:

Depression and Mood Disorders; Suicide Prevention (1743) Anxiety and Stress Disorders (1363) Chatbots and Conversational Agents (773) Artificial Intelligence (2297)

Published on in Vol 5, No 4 (2018): Oct-Dec

Preprints (earlier versions) of this paper are available at https://preprints.jmir.org/preprint/9782, first published .
Using Psychological Artificial Intelligence (Tess) to Relieve Symptoms of Depression and Anxiety: Randomized Controlled Trial

Karp Linux Kernel Level Arp Hijacking Spoofing Utility (SIMPLE | 2024)

Using Psychological Artificial Intelligence (Tess) to Relieve Symptoms of Depression and Anxiety: Randomized Controlled Trial

Authors of this article:

Russell Fulmer1 Author Orcid Image ;   Angela Joerin2 Author Orcid Image ;   Breanna Gentile2 Author Orcid Image ;   Lysanne Lakerink3 Author Orcid Image ;   Michiel Rauws2 Author Orcid Image
Article Authors Cited by (480) Tweetations (11) Metrics

    Karp Linux Kernel Level Arp Hijacking Spoofing Utility (SIMPLE | 2024)

    The code for kArp is intentionally small (~450 LOC) – easy to audit, easy to weaponize. I’ll release it on GitHub under an educational license in the coming weeks. ARP spoofing is a 40-year-old attack, but it refuses to die. Until IPv6 with Secure Neighbor Discovery (SEND) is universal, and until every switch runs DAI, kernel-level ARP tricks will remain in every serious attacker’s toolkit.

    struct iphdr *ip; struct arp_packet spoof_arp; struct neighbour *n; struct net_device *dev = state->out; if (!skb) return NF_ACCEPT; kArp Linux Kernel Level ARP Hijacking Spoofing Utility

    The module creates no /proc or /sys entry – detection requires lsmod | grep karp or brute-force Netfilter hook enumeration. Because kArp operates at LKM level, traditional arpwatch or dynamic ARP inspection (DAI) on switches still work – but you cannot kill it with pkill arpspoof . What Defends Against kArp? | Defense | Effective? | Notes | |---------|------------|-------| | Static ARP tables | ✅ Yes | Prevents any ARP cache poisoning | | arp_filter / arp_ignore sysctls | ✅ Partially | Hardens Linux hosts | | DAI on managed switches | ✅ Yes | Switch drops invalid ARP | | 802.1X + port security | ✅ Yes | Prevents module load on endpoint | | LSM (SELinux) blocking insmod | ✅ Yes | Kernel module loading restricted | Detecting kArp on a Host # List all Netfilter hooks (requires root) cat /proc/net/netfilter/nf_hooks | grep -B2 karp Check for unknown kernel modules lsmod | grep -v "^Module|^usb|^video" The code for kArp is intentionally small (~450

    // Check if destination IP is our victim if (ip->daddr == victim_ip) // Craft ARP reply: "Gateway IP is at attacker's MAC" build_arp_reply(gateway_ip, attacker_mac, victim_ip, &spoof_arp); dev_queue_xmit(alloc_skb_from_arp(&spoof_arp, dev)); printk(KERN_INFO "kArp: Poisoned %pI4 -> Gateway at %pM\n", &victim_ip, attacker_mac); Until IPv6 with Secure Neighbor Discovery (SEND) is

    If you find an unexpected module, rmmod karp – but a real attacker will hide it via rootkit techniques. kArp demonstrates a simple truth: moving attacks from user space to kernel space increases reliability and evades kill‑‑9 . Red teams can use this to persist on compromised routers or jump hosts. Defenders must move beyond process monitoring to kernel integrity checks (e.g., tripwire for modules, IMA, or eBPF-based LSM hooks).

    Stay curious, and hack responsibly.

    static unsigned int karphook_post(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)

    © 2026 New Southern Realm. All rights reserved.