Re: ARP issue

To: debian-security@lists.debian.org
Subject: Re: ARP issue
From: Jan Minar <jjminar@FastMail.FM>
Date: Mon, 29 Nov 2004 17:47:06 +0000
Message-id: <20041129174705.GE27968@kontryhel.haltyr.dyndns.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <41AB3256.6090704@mnemon.de>
References: <41AB3256.6090704@mnemon.de>

On Mon, Nov 29, 2004 at 03:29:42PM +0100, Jörg Harmuth wrote:
> I sent a crafted arp reply to a linux box with the meaning
> "Hey, localhost is at <some_spoofed_mac_address>". Looking in the arp 
> cache on this box,
> I saw that this spoofed mac address was accepted as the boxes new 
> mac-address for
> localhost on eth1. This means to me:

This is a bit vague -- what did You actually typed in and what did You
actually get?  Use the script(1) command if necessary.

Anyway, the 127.0.0.0/8 (i.e. the local loopback) is routed locally by
default, i.e. the packets will never get to checking the eth0's ARP
table.  Let's see it in action:

| % ip route list table local | grep ^local
local 10.0.0.12 dev ind1  proto kernel  scope host  src 10.0.0.12 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 

Here, the IPs 127.0.0.0, 127.0.0.1, ..., 127.255.255.255, and 10.0.0.12
will be routed locally (you can see this in action when you attach
another machine, and ping <your eth0 IP address> (10.0.0.12 here),
running tcpdump on the other machine.  As you would see, the packets
will never touch the wire.  This gets interesting when you assign the IP
address of the other machine of a point-to-point interface, and You just
can't resolve why the h*** the other machine isn't seeing anything...
8-)

> 1.) There are no checks about arp packages.
> 2.) Nobody keeps track of  the balance between arp requests and replies
>      (why accepting a reply without having sent a request before ?).

Unsolicited update of your neighbors' ARP cache.  Good whenever you
might want to change MACs quickly (failover comes to mind).

> 3.) All the usual arp attacks are possible.

The ARP protocol is *inherently* insecure, and rightly so.  If you want
to harden your network, use static ARP tables on the switches.  The
authenticity is really a business of the presentation layer in the OSI
model, which in the TCP/IP protocol suite is provided by IPSec.  You can
use SSL and SSH if you want something right here right now without the
need to RTFM too much.

> Ok, this is an old box with kernel 2.4.19 (and isn't used for production).

As ARP is handled by the kernel, this might as well be the answer to
your questions...

HTH,
-- 
 )^o-o^|     Jan Minář
 | .v  K     e-mail : <jjminar@fastmail.fm>
 `  - .'     jabber : <rdancer@njs.netlab.cz>
  \ __/      phone  : +44(0)7981738696
 __|o|__     icq    : 345355493

Attachment: pgp8oYDuXlQ7S.pgp
Description: PGP signature

Reply to:

References:
- ARP issue
  - From: Jörg Harmuth <harmuth@mnemon.de>

Prev by Date: ARP issue
Next by Date: Re: [SECURITY] [DSA 599-1] New tetex-bin packages fix arbitrary code execution
Previous by thread: ARP issue
Index(es):
- Date
- Thread