Vulnerability Development mailing list archives
Re: ARP silliness w/ Cisco 675
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Tue, 28 Sep 1999 12:04:35 -0000
There is no real good way of defending against ARP spoofing. The ARP RFC states that when a host receives an ARP query for itself, it should enter the sender's address tuple into its ARP table so as to refrain from having to query for information that it has already, in effect, received. This means that most (all?) systems may be ARP-spoofed by sending spoofed queries to them instead of spoofed answers - the effect will be the same. This way, you don't have to worry about race conditions. One way around this would be to NOT enter the sender's address tuple into the ARP table, but rather query for it every time and that way atleast get the race condition "protection" (duh). As noted earlier, you can at least get a warning message when an IP changes MAC address, which may grant you some protection. This however requires that the entries never time out, otherwise there's nothing to compare to. It would seem to me that the only defense is to add static entries for every host ON every host (yuck). Some quick ideas that probably won't work, but could be used as a starting point of discussion?: 1. Add a central system having a master list of MAC/IP tuples, which sends responses signed by an asymmetric cipher function. (Certificate) This could be a function in your router/firewall. This would require all hosts on the net to know the public key of the master system before they can communicate at all. 2. Stop sending to single addresses; start broadcasting everything instead. Yeah I know, sucky solution, it breaks switches. Don't tell me that "everyone will be able to snoop traffic" however, they can already do that. 3. When you receive a changed MAC address, query for the IP again and see what responses you receive in, say, 1 second. If any of the responses match what you already know, don't change your entry. This assumes that you already had the entry, of course, and that the entry you DO have is not that of an attacker, in which case you'd only be aiding the attacker. *sigh* IMHO, you can't achieve perfect security over an ethernet LAN, the only way to increase security is to compartmentalize the network, utilizing at least a router, or perhaps a multi-NIC firewall. I'd say that the best you can do for a LAN is to log changes of MAC addresses and try to track down intruders and pursuade them to cease and desist, utilizing your favourite aluminum bat. *g* Regards, /Mikael Olsson
Current thread:
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 28)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 29)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 29)
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 29)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)