OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Buggy ARP handling in Windoze
From: Paul Starzetz (paulSTARZETZ.DE)
Date: Thu Jun 29 2000 - 15:40:49 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jurjen Oskam wrote:

  I think this is a 'feature' - at least I read here in a preparation
  guide for the Microsoft TCP/IP exam that "a static entry in the ARP
  cache changes if an ARP broadcast that indicates a different
hardware
  address is received. In this case, the type of the entry changes to
  dynamic, and the newly received hardware address replaces the
current
  one."

Yes, the received hw address replaces the configured one, but this do
not change the fact, that indeed the changed ARP entry wouldn't time
out at all. I unplugged
the ethernet cable and sent my Win98 a single spoofed ARP packet with
'random' MAC for the gateway which I previously configured to be
'static'. So after the
packet arrives, arp -a still says the ARP line (with the random MAC)
is 'static' and nothing changes, I did wait about 12 minutes...
enough for a timeout I think.

In a bigger subnet with many workstations and many broadcasts Win
will gather the correct hw address fastly...yes. But even then the
ARP line wouldn't change to
'dynamic' :-)

Paul.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOVul/eoda9SJo5HXEQKFzQCg9AHXh/Q4hydFlmJIH9DKDTCvNO4AoIRp
Cff/nv1ezNxG3UVH519CJJ/W
=qYUn
-----END PGP SIGNATURE-----