[25216] in bugtraq
arp problem
daemon@ATHENA.MIT.EDU (Bartłomiej" Konarski)
Tue Apr 23 00:33:59 2002
Date: Sun, 21 Apr 2002 14:45:15 +0200
From: "Bartłomiej" Konarski <bartek@pjwstk.edu.pl>
To: bugtraq@securityfocus.com
Message-Id: <20020421144515.31d4900a.bartek@pjwstk.edu.pl>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
boundary="=..T7gTKD:5'+,Lg"
--=..T7gTKD:5'+,Lg
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Hi,
I have a small problem.
Situation:
We have linux box running kernel 2.4 with 2 NICs.
Let`s assume that
eth0 IP 10.1.1.1/8 MAC 11:11:11:11:11:11,
eth1 IP 192.168.0.1/24 MAC 22:22:22:22:22:22
We can even safely set the eth1 interface down, remove a patchcord from
this interface or it can be dummy0 interface.
On the second machine from network 10.0.0.0 (in our case 10.2.2.2) we try:
# arping 192.168.0.1
and we got the reply:
Unicast reply from 192.168.0.1 [11:11:11:11:11:11] 0.765ms
Looks strange - there is no proxy-arp turned on on any of the interfaces.
What can we do with this knowledge ? For example we can try to find
suspected masquerade machines in our network.
It is also very easy to scan for private networks behind the suspected
machines.
We tried this under Linux kernel 2.4
This technique didn`t work with multihomed MS-Windows machine.
It didn`t work on cisco 2500 series either.
The questions are:
How to turn this off ?
Is it only a feature of the kernel series 2.4 ?
--
Bartek Konarski
GPG/PGP Key: http://www.bss.pjwstk.edu.pl/bartek.asc
--=..T7gTKD:5'+,Lg
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
iD8DBQE8wrRmT5hEWMdzC/IRAgSrAJ9NebvqJJTRe6iHjNvSV16Y+cpzSgCfXyiu
lCNxjSjUkZXyW5sDSBKhmXI=
=8VA3
-----END PGP SIGNATURE-----
--=..T7gTKD:5'+,Lg--
