Full Disclosure mailing list archives

Re: Static ARP Replies?

From: Darren Bounds <dbounds () intrusense com>
Date: Fri, 6 Aug 2004 10:17:21 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dan,

What does it prevent exactly? It certainly doesn't prevent gratuitousARPs nor does it prevent someone from responding with their own ARPreplies. As far as I can tell, it's nothing more than a feeble attemptto route *ALL* traffic through the gateway including local subnettraffic. Easily subverted.



Thanks,

Darren Bounds, CISSP

443D 628D 0AC7 CACF 6085
C0E0 B2FC 534B 3D9E 69AF

- --
Intrusense - Securing Business As Usual



On Aug 5, 2004, at 11:15 PM, Dan Taylor, Jr. wrote:

I have encountered a few 802.11b public access points (I can't
remember the vendors, but they were for hotels) that seem to have
built-in ARP cache poisoning prevention.  I found it nonetheless
impressive and am looking for solutions to implement it (presumably
with my own wireless card and hostap drivers).

Here's what happens on one of these networks:

Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of
192.168.1/255.255.255.0, and I send out an ARP request for hosts
192.168.1.2-254.

Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of192.168.1.100--> ARP broadcast (source FE:ED:FA:CE:BE:EF destinationFF:FF:FF:FF:FF:FF)

--> Who has 192.168.1.2?  Tell 192.168.1.100

--< ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF)
--< 192.168.1.2 is at DE:AD:C0:DE:CA:FE

I'm assuming this is a rather effective way of not only preventing ARP
poisoning attacks, but making it so that all communication is
virtually done between the client and the access point).
Has anyone seen this feature implemented in any other access points?
To what extent does this work and/or it's behavior on layer-2
broadcasting or client to client (mac address to mac address)
communications?

Thanks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBE2vtsvxTSz2eaa8RAkuxAJ4nfkPZB4fzYyuRJVzgNbg3svARqgCePjTf
fzuZ7t1FOZku2hYTha53GJY=
=Fy2C
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Static ARP Replies? Dan Taylor, Jr. (Aug 05)
- Re: Static ARP Replies? Darren Bounds (Aug 06)
- Re: Static ARP Replies? Grishnav (Aug 07)