[5305] in bugtraq
Re: Redir games with ARP and ICMP
daemon@ATHENA.MIT.EDU (Neil J Long)
Wed Sep 24 13:43:56 1997
Date: Wed, 24 Sep 1997 09:12:28 +0100
Reply-To: Neil J Long <neil.long@MATERIALS.OXFORD.AC.UK>
From: Neil J Long <neil.long@MATERIALS.OXFORD.AC.UK>
X-To: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL> "Re: Redir games
with ARP and ICMP" (Sep 23, 6:36pm)
On Sep 23, 6:36pm, Olaf Seibert wrote:
> Subject: Re: Redir games with ARP and ICMP
> John Goerzen wrote:
> > Having anticipated such a problem already (in our envoronment, there are
> > many lab machines which have NFS access to user disks on a server. These
> > machines may even be turned OFF which makes it easy for a spoofer to get
> > in.), I wrote a short Perl script designed to be run from the system
> > startup file. Basically, it "primes" the ARP cache on Linux with the
> > IP and MAC addresses of known machines, setting a flag so that they are
> > never removed from the cache and can never be changed.
> >
> > The config file format is simple -- IP address followed by MAC address,
> > separated by whitespace. Pound at the beginning of a line indicates
> > comment.
>
> > This has only been tested on Linux -- people on other platforms may need
> > to adjust the parameters to arp in the system call.
>
> Some systems (notably BSD variants) have the arp -f option:
>
> -f Causes the file filename to be read and multiple entries to be
> set in the ARP tables. Entries in the file should be of the
form
>
> hostname ether_addr [temp] [pub]
>
> with argument meanings as given above.
>
> -Olaf.
> --
> ___ Olaf 'Rhialto' Seibert D787B44DFC896063 4CBB95A5BD1DAA96
> \X/ It's not easy having a good time rhialto@polder.ubc.kun.nl
>-- End of excerpt from Olaf Seibert
Please note Yuri's original posting - unless you use the '-arp' option with
ifconfig these "permanent" settings will get replaced! Also even with -arp any
host that has not had the etheraddress set using arp -f or arp -s will be added
to the arp cache.
This is what I found with IRIX 6.2, HP-UX or FreeBSD and I would be surprised
if any other OS was very different - the "permanent" flag stays set but the
etheraddress will change unless -arp has been used.
Easy to test by setting a nonesense ether for a host with arp -s and then send
a ping comparing the arp cache before and after. Nothing appears in logfiles
unless you have something monitoring arps such as arpwatch.
Neil
