[5301] in bugtraq
Re: Redir games with ARP and ICMP
daemon@ATHENA.MIT.EDU (John Goerzen)
Mon Sep 22 12:04:19 1997
Date: Mon, 22 Sep 1997 09:32:44 -0500
Reply-To: John Goerzen <jgoerzen@SOUTHWIND.NET>
From: John Goerzen <jgoerzen@SOUTHWIND.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.A41.3.95.970919050829.19988A-100000@t1.chem.umn.edu>
Having anticipated such a problem already (in our envoronment, there are
many lab machines which have NFS access to user disks on a server. These
machines may even be turned OFF which makes it easy for a spoofer to get
in.), I wrote a short Perl script designed to be run from the system
startup file. Basically, it "primes" the ARP cache on Linux with the
IP and MAC addresses of known machines, setting a flag so that they are
never removed from the cache and can never be changed.
The config file format is simple -- IP address followed by MAC address,
separated by whitespace. Pound at the beginning of a line indicates
comment.
This has only been tested on Linux -- people on other platforms may need
to adjust the parameters to arp in the system call.
It is a quick 'n' dirty program, but works -- maybe it will be useful to
somebody out there, too.
Note: you want to make sure that it is run after your network interface is
brought up but before any servers or clients are started; otherwise,
somebody may be able to sneak in a connection before the ARP tables are
"locked".
Here's the script:
#!/usr/bin/perl
# by John Goerzen <jgoerzen@cs.twsu.edu>
# Program: forcehwaddr
# Program to run ARP to force certain tables.
# Specify filenames to read from on command line, or read from stdin.
foreach (<>) { # For each input line....
chomp; # Strip if CR/LF
if (/^#/) { next; } # If it's a comment, skip it.
if (((($host, $hw) = /\s*(.+?)\s+(\S+)\s*/) == 2) &&
!(/^#/)) {
# The text between the slashes parses the input line as follows:
# Ignore leading whitespace. (\s*)
# Then, start matching and put it into $host ($host, (.+?))
# Skip over the whitespace after that (\s+)
# Start matching. Continue matching until end of line or optional
# trailing whitespace.
# Then, the if checks to see that both a
# host and a hardware address were matched.
# (2 matches). If not, we skip the
# line (assuming it is blank or invalid or something).
# The second part of the if checks to see if the line starts with
# a pound sign; if so, ignore it (as a comment).
# Otherwise, run the appropriate command:
printf("Setting IP %-15s to hardware address %s\n", $host, $hw);
system "/usr/sbin/arp -s $host $hw\n";
}
}
--
John Goerzen
Southwind Internet Access, Inc. Technical Support
Business e-mail: jgoerzen@southwind.net
Personal e-mail: jgoerzen@complete.org
Wichita State University e-mail: jgoerzen@cs.twsu.edu
Developer, Debian GNU/Linux <http://www.debian.org>
