Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re: Redir games with ARP and ICMP

Re: Redir games with ARP and ICMP

Neil J Long (neil.longMATERIALS.OXFORD.AC.UK)
Wed, 24 Sep 1997 09:12:28 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "CERT Vendor-Initiated Bulletin VB-97.08 - Transarc"
Previous message: Fowler, Art: "SunOS4.1.3 bug with uid >65000"

On Sep 23,  6:36pm, Olaf Seibert wrote:
> Subject: Re: Redir games with ARP and ICMP
> John Goerzen wrote:
> > Having anticipated such a problem already (in our envoronment, there are
> > many lab machines which have NFS access to user disks on a server.  These
> > machines may even be turned OFF which makes it easy for a spoofer to get
> > in.), I wrote a short Perl script designed to be run from the system
> > startup file.  Basically, it "primes" the ARP cache on Linux with the
> > IP and MAC addresses of known machines, setting a flag so that they are
> > never removed from the cache and can never be changed.
> >
> > The config file format is simple -- IP address followed by MAC address,
> > separated by whitespace.  Pound at the beginning of a line indicates
> > comment.
>
> > This has only been tested on Linux -- people on other platforms may need
> > to adjust the parameters to arp in the system call.
>
> Some systems (notably BSD variants) have the arp -f option:
>
>      -f      Causes the file filename to be read and multiple entries to be
>              set in the ARP tables.  Entries in the file should be of the
form
>
>                    hostname ether_addr [temp] [pub]
>
>              with argument meanings as given above.
>
> -Olaf.
> --
> ___ Olaf 'Rhialto' Seibert      D787B44DFC896063 4CBB95A5BD1DAA96
> \X/ It's not easy having a good time    rhialtopolder.ubc.kun.nl
>-- End of excerpt from Olaf Seibert

Please note Yuri's original posting - unless you use the '-arp' option with
ifconfig these "permanent" settings will get replaced! Also even with -arp any
host that has not had the etheraddress set using arp -f or arp -s will be added
to the arp cache.

This is what I found with IRIX 6.2, HP-UX or FreeBSD and I would be surprised
if any other OS was very different - the "permanent" flag stays set but the
etheraddress will change unless -arp has been used.

Easy to test by setting a nonesense ether for a host with arp -s and then send
a ping comparing the arp cache before and after. Nothing appears in logfiles
unless you have something monitoring arps such as arpwatch.

Neil

Next message: Aleph One: "CERT Vendor-Initiated Bulletin VB-97.08 - Transarc"
Previous message: Fowler, Art: "SunOS4.1.3 bug with uid >65000"