Bugtraq mailing list archives
Re: Redir games with ARP and ICMP
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Sat, 20 Sep 1997 00:11:10 +0100
all connected by Ethernet in some simple way (i.e. no switches, no smart hubs). You're on cat, you have root and desire to break into dog. You know that dog trusts rat, so if you can successfully spoof rat, something can be gained.
Actually with a bit of care the arp spoofing attack you describe works through simple mac filtering devices. Not only that but a switched network allows you to make purely unicast address attacks that the monitoring station won't see as the lan admin is himself switched from your packets... See below.
router's. If it works (I'm not sure it always will, router's ARP implementation may be tougher to fool, and since I don't want to try it on real routers, I don't know, but there's no simple reason why not) you can
You can generally fool routers fairly easily too.
from usual 1 min to about 10 min. By that time, most or all TCP connections are screw up. Could be quite annoying. This way, one ARP packet can screw someone.
ARP is a poor choice for this IMHO. The 802.1 spanning tree algorithm used by bridges and switches to avoid loops has no protection either and this allows you to shut down entire ports when you can do MAC level attacks rather than messing around host by host.
screw up the entire network. It must be admitted, though, that gratuitous ARP is not really defined as a part of ARP, so it's up to vendor to (not) implement it, and it's becoming increasingly less popular.
Gratuitous ARP is a required part of IP mobile. It is an awkward case. The linux approach is to always honour ATF_PERM flags. That is if you create a permanent entry it will never be replaced by a learned one even temporarily. That allows security concerned people to hardcode addressing.
Host Requirements RFC states that system MUST follow ICMP redirects unless it's a router. And indeed all the systems I've tried happily accept it (except vanilla Linux 2.0.30, where it's broken, it works in 2.0.29 and 2.0.31pre9, according to Alan Cox).
Yep. Thats simply a quirk of a bug. A Linux host (as opposed to router) will like everyone else honour ICMP redirect unless you firewall or turn them off. A router never honours them (its strictly forbidden)
ICMP redirects present a rather potent DoS. Unlike ARP cache entries, those host routes won't expire with time. And of course no access to local
No. ICMP redirect host routes expire after a few minutes. The host has to do this so that a temporary situation does not cause a permanent change. If you are lucky enough to be on a switched network with a big netmask (class B or bigger) then you can also use ICMP host redirects against many boxes to add 65000+ routes to their tables. Unixes generally eat ram and carry on as they have good routing algorithms designed to cope with the backbones. Many "desktop OS" products use linear searches for their routes.....
The above ARP attack scheme work perfectly for plain old 10Base2 Ethernet. However, if machines are interconnected in some more advanced way, particularly using some smart hubs or switches, attack can be more visible or even impossible (same goes for passive attacks). So there's yet another reason to invest in a good piece of network equipment. A good deal of peace of mind may just come with it.
A filtering hub lets you perform this attack ping the two hosts you wish to snoop between. Using the mac address you learn via arp send both a unicast arp giving yourself as the answer for the other IP address. Route between the two yourself and log the frames. Better yet, the admin on another port is filtered from your unicast frames. Nothing they can see coming out of their hub is likely to show up the attack.
compliant with RFC1122. Alas, it may not be easy. On Linux or any other OS with sources available, I can at least hack the kernel and #define it out. On Irix 6.2 and possibly other versions one can set icmp_dropredirects=1
On Linux you can firewall icmp redirect packets specifically - ditto Im sure *BSD. That makes it a single line command option.
permanent. As a bonus, this will reduce network traffic somewhat. Standard procedures can be used to distribute ARP map, e.g. rdist, rsync (I would say NIS, but if you use NIS, ARP is probably not your top security concern anyway). Old tradition of /etc/ethers can be brought back to life. But getting a kick-ass Ethernet switch still looks better to me (paying for it does not, though).
You have a fundamental problem, and this is why neither IPv6 or bootp are any more secure to these forms of attack. Unless you burn keys into the roms or onto the disks of hosts by a non IP method you will never be able to set up the first secure session to learn the others - you have a problem akin to a PGP web of trust with nobody else to trust. With IPv6 you can at least theoretically implement IP-ESP (encryption headers) even on link layer "neighbour discovery" packets. In IPv6 there is local IPv6 rather than ARP thus one day we can crypt those too. Alan
Current thread:
- Re: CERT Advisory CA-97.23 - rdist, (continued)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Java/JavaScript DoS Ian McKellar (Sep 16)
- Re: Fake ps detection program (system V and /proc enabled David Luyer (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
- Re: Redir games with ARP and ICMP John Goerzen (Sep 22)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Simon Karpen (Sep 16)
- Sun Security Bulletin #00154 Aleph One (Sep 17)