[168229] in North American Network Operators' Group
Re: Proxy ARP detection
daemon@ATHENA.MIT.EDU (Niels Bakker)
Wed Jan 15 19:03:43 2014
Date: Thu, 16 Jan 2014 01:03:31 +0100
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <4C209FFB-6573-4282-9142-561E79BF1FA9@bloomcounty.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* clay@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
>This is where theory diverges nicely from practice. In some cases
>the offender broadcast his reply, and guess what else? A lot of
>routers listen to unsolicited ARP replies.
I've never seen this. Please name vendor and product, if only so
other subscribers to this list can avoid doing business with them.
>So no, even though I consider it someone else’s bad behavior to
>broadcast an ARP reply, I’m not willing to take the chance with an
>IP that doesn’t belong to me.
So do an ARP request for www.equinix.com, or (and!) for an unused
address on your Peering LAN. Standard tools like arpwatch should
alert you to fishy things going on, loudly.
-- Niels.
--
"It's amazing what people will do to get their name on the internet,
which is odd, because all you really need is a Blogspot account."
-- roy edroso, alicublog.blogspot.com
