[2811] in bugtraq
Re: RARP attack?
daemon@ATHENA.MIT.EDU (Adam Morrison)
Tue Jun 25 09:08:39 1996
Date: Tue, 25 Jun 1996 15:01:37 +0300
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Adam Morrison <adam@math.tau.ac.il>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606242247.QAA05060@slack.xmission.com> from "Pete Ashdown" at
Jun 24, 96 04:47:48 pm
> It looks as if someone broke into one of these other machines, then started
> sending out bogus RARP packets. I had been experiencing a weird packet loss
> that I couldn't track down for the past few weeks, but today and yesterday
> several of our Suns were not reachable at all from the provider's Cisco.
Have you captured one of those packets?
> After a bit of noodling around, I cleared the ARP cache on their Cisco and
> things came back fine. Replacing the cached entries for the boxes on our
> network with statics solidified the situation.
>
> The only question I have for the list is why someone would do this? They hit
> some of our Suns, but not all of them, and none of our routers or terminal
> servers were affected. I believe it wasn't a spoofing attack since the MAC
> addresses were bogus and didn't resolve to anything. All I can think is that
> someone just wanted to bring us down, and nothing else.
Though ethernet-level spoofing isn't impossible, you're probably right.
But there is a problem with ARP.
You could redirect traffic between two hosts by stomping over an
existing ARP cache entry. Just send an ARP request from your host,
with the sender IP address being that of the entry you want to override,
and the target host will start sending IP packets destined to that
host to your MAC address.
adam?
