Re: ARP silliness w/ Cisco 675

[tschroed () ACM ORG (Trevor Schroeder)]

On Wed, 29 Sep 1999, Mikael Olsson wrote:

> > > [Requerying addresses every time you get a question]
> > That's icky.
>
> But it's the only protection you'll ever have if you don't already
> have an entry.

Why do anything?  What if you don't want to talk to that host, why bother
to send an ARP query.  Send it out if and when you need to talk to the
host.  You sending out an ARP query upon receipt of an unsolicited ARP is
almost as bad as simply accepting it.  Your attacker knows that he or she
has a set window of time within which they may respond and within which
they must keep others from responding.   That beats the previous game where
unknown addresses may be ARPed for at virtually any time.

> IPSec prevents sniffing and impersonation (using both AH and ESP as
> you pointed out later on), but it does NOT prevent DoSing the
> poor bastards with wild ARP spoofing.

But who cares?  The system can be DoSed only so long as the attacker keeps
sending out ARPs.  Generally a bad thing since they're being pretty noisy.
Besides, we'll notice it drop off line and go to see what's up.  Certainly
better than having all our traffic captured clandestinely and in the clear.

> I have to wonder though, when you say "checks the old MAC to see if
> it still claims the IP", do you mean that it sends out a directed ARP

Yup.

> 1. Intruder races for the response, which says "No MAC Addr". This
>    is compliant with RFC 1868, "UNARP". The response basically has
>    HWAddrLen=0.

hmmm... I'll have to take a look at this.

> 2. Intruder races for the response, which says that the hw addr for
>    the IP is the hw addr of the intruder.

If you have it time based (ugh), you simply wait for the original owner to
respond within a fixed time.  Therefore as long as the original box
responds within 15 ms (or whatever), it has precedence.

Now if your intruder can keep your box deaf or mute for 15 ms, then you've
got a problem.

> 3. Intruder floods the network of either host to the point where
>    either the query to the old host or the response from it gets
>    blocked. Remember that the intruder doesn't have to flood the
>    network for very long, and that this attack doesn't have to
>    work the first time.

This might be interesting to try.  After all, after 32 retries, your
frame's dead.  On the other hand, I wonder how reliable it would be in a
switched environment.  Your switch may have some sort of fair queueing, in
which case the correct ARP is almost sure to get through.

> 4. Crash the original host, or make it consume lots and lots of CPU
>    power for a while. This way, it won't respond to the safety query.

No stopping the crash.  CPU crunching is probably pretty doable, spam their
sendmail or cgi-bin or something.

> 5. Crash the original host and wait for the ARP entry pointing
>    to it to die from itself. This could be circumvented

If your box is that unstable, all bets are off.  Somone could even crash it
and reconfigure their interface with its MAC address.  Though again, it
would hopefully be noticed.

(Though not necessarily... ie, I could take out your DNS server and bring
up another within a few seconds and nobody would probably notice, but
that'd be a Really Bad Deal for every service that relies on DNS being
right for ACLs (ie, misconfigured TCP wrappers))

>    if all ARP entries never timed out. Again, this might lead

blurgh.
:)

> Also, a real problem with these "sticky" ARPs is that once an
> intruder gets hold of an IP address, it'll actually work
> to his/her advantage.

Ditto with Linux's opportunity for the original holder to maintain first
dibs.  What it really comes down to is this:  without any way to
authenticate the owner of an IP address, the proper owner is whoever claims
it first.  If that's an attacker, too bad, no way to prove it.  You want
better proof of identity, get IPsec and certificates.
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................: