Re: Unicast ARP Request: Considered Harmful?

[Kevin Le Gouguec <kevin.le-gouguec () insa-lyon fr>]

Thanks for your input!

I guess I sounded a bit desperate and/or maybe even accusative, so just to make things clear:

a) I don't doubt for a second that the author of the ARP preprocessor had a good reason for this unicast rule;
b) I have no stakes whatsoever in whether this rule is, has been, or ever will be relevant. I'm not even a network 
admin.

> From the beginning this has purely been a matter of curiosity :)


(Okay I just finished this message and I think I should put a break here and warn that the following is mostly a rant. 
Not a mean one I swear! Well I don't know, I guess *nice* rants are oxymoronic but this one's more of an 
incredulous-sad-puppy rant. If that makes sense. Probably doesn't. Anyway. Please by all means skip the rest of this 
mail)

I mean there's probably lots of documented examples of rituals from, I don't know, ancient Mayan tribes for which we 
have no explanation; the evidence is there, they used to build these weird huge statues, but whatever reason they had 
for making those is lost on us because they never bothered documenting why they did that. And they built the last one 
more than a millennium ago. So there, knowledge lost.

But this is different. This rule is not even a century old, the guys who *did* have a use for it are probably still 
alive and can still remember the threat it answered to, even if now nobody cares because ARP polling is a thing and 
there are so many application layers stacked on each other where security can fail before having to dirty your hands at 
the link layer.

I can sort of imagine that there could be some fields in IT where someone's very highly specific code from the 80s 
could find its way in a popular Open Source project and no one has a clue as to what it was supposed to do. Network 
Intrusion Detection though? I can understand terse documentation, but I wrote this question mostly thinking I was a 
n00b without imagination or in need of enlightenment (I would totally have accepted "RTFM" as a means to enlightenment 
too, provided said Manual was linked). Asking a question nobody can provide an answer for does not make me less of a 
n00b of course, but now I have to file "Why were unicast ARP requests ever a threat to anyone?" along with "Is there 
free will?", "What comes after death?" and "What's the shape of the universe?".
And that just feels kinda wrong :/


Seriously though, I know I'm blowing this out of proportion, plus I really don't mean to spam this list, so I'll just 
go with "At some point somebody needed that because reasons". Thanks for putting up with me.




----- Original Message -----
From: "Patrick Mullen" <pmullen () sourcefire com>
To: "Kevin Le Gouguec" <kevin.le-gouguec () insa-lyon fr>
Cc: "Snort Sigs" <snort-sigs () lists sourceforge net>
Sent: Monday, May 19, 2014 6:44:11 PM
Subject: Re: [Snort-sigs] Unicast ARP Request: Considered Harmful?

Kevin,

You bring up very interesting points.  Without getting into technical
details, can we go with your answer of (paraphrasing) "why does anyone
care about this detection?"  This was written a very long time ago and
the threat landscape has changed.  My original claim to fame was the
first snort portscan preprocessor, written in 1999 but I'll be the
first to say nobody cares about portscans anymore.  :)

I don't mean to squash an interesting, technical discussion, but to
answer your question of why it exists I can't say much more than over
a decade ago someone thought it would be cool to write and since then
attack techniques have changed and many threats have completely
reversed direction.  A great example is back in 2004 we trusted Web
servers and spent our time blocking attackers against them.  We still
do that, of course, but these days more detection is centered around
blocking malicious content coming FROM Web servers than the other way
around.

If you have further questions, I'd be more than happy to help out
where I can, but generally speaking I wouldn't enable ARP spoof
detection and wouldn't worry about it.


Thanks,

~Patrick

On Sun, May 18, 2014 at 5:33 PM, Kevin Le Gouguec
<kevin.le-gouguec () insa-lyon fr> wrote:
> My point exactly! So what's the purpose of this rule since there's so many legitimate uses for unicast ARP?
>
> And the attack scenario I just described does not even necessitate unicast ARP. Looking again at the algorithm, the 
> host only updates his translation table if a) the pair "IP address/MAC address" is already in his table or b) his IP 
> is the one specified. So you can run the "attack" I described with broadcast requests, which means this rule about 
> unicast ARP requests does not protect against that.
>
> So I still don't understand the purpose of this rule :/
>
> (I suppose this is somewhat insolent but I tried asking Jeff Nathan about this rule since he seems to have written 
> it. Neither jeff () snort org nor jeff () wwti com work...)
>
>
> <SNIP>

-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!