Vulnerability Development mailing list archives

Re: fooling hubs [ARP Spoofing]

From: tschroed () ZWEKNU ORG (Trevor Schroeder)
Date: Sat, 5 Feb 2000 01:27:34 -0500


On Fri, 4 Feb 2000, Robert van der Meulen wrote:

Did you ever try taking on the mac adress of somebody else (near you, in a
geographical sense), and tcpdumping the connection ?


Let's redefine near to be "near you, in a network sense."  ie, someone on
the same LAN segment.  Near on the network may not mean near,
geographically.  After all, with 100 meter runs, you could have two
devices on the same physical net, but 200 meters apart.  Add in repeaters
or, god forbid, fiber, and they could be even further yet.  Geographic
nearness and network nearness do not directly correspond.

Chances are that you'd be getting inbound traffic, aimed at the other person,
but arriving at your pc - in my opinion, _that_ is a bug :)


I don't think it is.  ARP is designed to be simple.  It exceeds at that.
Just looking at the layout of the frame is enough to tell you how it
works.  It's simple enough that even the dumbest embedded device can use
it. etc. etc.

The problem arises when you expect it to be secure.  Historically, LANs
have not been considered anything like secure.  I mean, who cares if you
can do ARP redirection on a *shared media* network.  It really doesn't
gain you much.  So why go to all the effort of making ARP an authenticated
protocol?

Now in the hairy scary days, there needs to be some authentication
mechanism.  I still don't it's needed at the ARP level.  Use network layer
authentication and encryption (ie, IPsec) if you want to verify that
someone is who they say they are and that the communication is truly
private.

For the truly paranoid, you can always do network segmentation, VPNs, and
static ARP entries.  And of course, network-layer encryption/auth.
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................:

Current thread:

fooling hubs [ARP Spoofing] David aka SpanskA (Feb 03)
- Re: fooling hubs [ARP Spoofing] Panagiotis Malakoudis (Feb 03)
- Re: fooling hubs [ARP Spoofing] Robert van der Meulen (Feb 04)
  - Re: fooling hubs [ARP Spoofing] Trevor Schroeder (Feb 04)
- Re: fooling hubs [ARP Spoofing] Jeff Bachtel (Feb 05)
  - Re: fooling hubs [ARP Spoofing] H D Moore (Feb 07)
  - Notes Domino Server Platform for e-commerce? Baasner, Frank (Feb 07)
    - Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
    - Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 08)
    - Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
    - Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 09)
    - Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
    - Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
    - Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)

(Thread continues...)